Backdoor:Win32/Jukbot.B is a trojan that allows limited remote access and control. It functions as part of a
botnet and allows remote access and control. The trojan communicates with a command and control server to receive instructions and to perform actions.
Installation
The backdoor has been observed using different file names and service names when it is dropped on to the computer. When run, it copies itself to the <system folder> under different file names, for example, "panp.exe", "slnso.exe", "btlp.exe", and so on.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The registry is modified to run Backdoor:Win32/Jukbot.B as a Windows service, using various service names, to ensure that its copy executes at each Windows start. The backdoor makes the following changes to the registry:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<service name>
Sets value: "Type"
With data: "dword:00000010"
Sets value: "Start"
With data: "dword:00000002"
Sets value: "ErrorControl"
With data: "dword:00000001"
Sets value: "ImagePath"
With data: <dropped malware path>
Sets value: "DisplayName"
With data: "<service name>"
Sets value: "ObjectName"
With data: "LocalSystem"
Sets value: "Description"
With data: "Network address translation for virtual networks.If this service is stopped, protected content might not be down loaded to the device."
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\VMservices\Security
Sets value: "Security"
With data: hex: <Hex Value>
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\VMservices\Enum
Sets value: "0"
With data: "Root\LEGACY_VMSERVICES\0000"
Sets value: "Count"
With data: "dword:00000001"
Sets value: "NextInstance"
With data: "dword:00000001"
In subkey: HKLM\SYSTEM\CURRENtcoNtrolset\services\<service name>
Sets value: "<malware file name>"
With data: "<system folder>\<malware file name>"
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMSERVICES
Sets value: "NextInstance "
With data: "dword:00000001"
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMSERVICES\0000
Sets value: "Service"
With data: "<service name>"
Sets value: "Legacy"
With data: "dword:00000001"
Sets value: "ConfigFlags"
With data: "dword:00000000"
Sets value: "Class"
With data: "LegacyDriver"
Sets value: "ClassGUID"
With data: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
Sets value: "DeviceDesc"
With data: "<service name>"
Sets value: "DeviceDesc"
With data: "<service name>"
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMSERVICES\0000\Control
Sets value: "*NewlyCreated*"
With data: "dword:00000000"
Sets value: "ActiveService"
With data: "<service name>"
Payload
Allows remote access and control
Backdoor:Win32/Jukbot.B attempts to connect to a predetermined command and control server. In the wild, we observed the malware connecting to one of the domain "qianli8211.3322.org".
Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:
Delete its service
Download and execute files from a given URL
Execute commands
Reboot, shutdown and power off the computer
Launch denial of service attack (DDOS) using UDP, ICMP, HTTP floods
Stop the DDoS attack
Delete a specified file
Get drive type
Harvest files and send to the command and control server
Create and use a log file "c:\bot.txt"
The backdoor may also send information back to a remote attacker, such as:
Computer name
Operating System version
CPU speed
Physical RAM
CPU model
Analysis by Rex Plantado
