Backdoor:Win32/Beastdoor.L is a trojan that modifies system security settings and allows backdoor access and control of the affected computer.
Installation
Backdoor:Win32/Beastdoor.L copies self to %windir% and <system folder> as a changeable file name, but typically one file as .EXE and two as .COM files. In the wild, we have observed the malware using the following file names, for example:
- <system folder>\wamp.exe
- <system folder>\msldeg.com
- %windir%\msagent\mshiwq.com
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Backdoor:Win32/Beastdoor.L modifies the following registry entries to ensure that its copy executes at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{42CE4021-DE03-E3CC-EA32-40BB12E6015D}
Sets value: "StubPath"
With data: "<system folder>\msldeg.com"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "COM Service"
With data: "%windir%\msagent\mshiwq.com"
Payload
Modifies system security settings
Backdoor:Win32/Beastdoor.L modifies the affected computer system's security settings by disabling Shared Access:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Sets value: "Start"
With data: "4"
The malware also disables dial-up connection by making the following changes to the registry:
In subkey: HKCU\Software\Microsoft\RAS Autodial\Control
Sets value: "LoginSessionDisable"
With data: "1"
Allows backdoor access and control
The malware sends an email confirming infection, with IP and port details. It then attempts to open a port, join a channel and wait for commands. Using this backdoor, an attacker can perform a number of actions on an affected computer, including:
- Take a screen capture
- Record webcam
- Open, close and remove CD-ROM
- download and execute arbitrary files
- Swap mouse buttons
- Control the mouse
- Execute commands
- Steal files from the affected computer
- Change the time on the affected computer
- Send emails
- Copy window text then send captures via email
- Log keystrokes or steal sensitive data
Analysis by Matt McCormack
