Installation
Backdoor:Win32/Nioupale.A can be downloaded by other malware or installed from malicious websites.
We have seen it install a copy of itself using the following file names:
When run it creates the file msid.dat in the same folder as above.
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "mdwkkggs"
With data: "<malware path file>", for example "%ProgramFiles%\common files\system\library\mshost.exe"
Sets value: "msdgsods_mini"
With data: "<malware path file>", for example "%USERPROFILE%\system\library\mshost.exe"
Backdoor:Win32/Nioupale.A can also create a service using the following registry entries:
In subkey: HKLM\System\CurrentControlSet\Services\mdwkkggs
DisplayName = Microsoft Windows Disk Storage Service
ImagePath = <malware path file>
In subkey: HKLM\System\CurrentControlSet\Services\msdgsods_mini
DisplayName = Microsoft Windows Rapid Storage Service
ImagePath = <malware path file>
We have seen this malware create the following mutexes:
Payload
Downloads files onto your PC
We have seen this threat connect to one of the following sites:
- sale.group-in.net/<removed>/addr.gif
- sale1.group-in.net/<removed>/addr.gif
- sale2.group-in.net/<removed>/addr.gif
- sites.hotdorama.com/<removed>/skm/addr.gif
We have seen this threat download the file addr.gif from these sites. The file has an encrypted URL that this malware uses for the network connection.
The malware connects to this URL using HTTP POST. It sends a malicious hacker the following information about your PC:
- If the malware has administrator privileges
- IP address
- Language ID
- Malware version: version: 1.50H Mini
- Operating system version
- Whether your PC is infected machine is 64-bit
- Your PC name
Gives a malicious hacker access to your PC
Backdoor:Win32/Nioupale.A connects to one of the following URLs:
- %decryptedURL%rxvur.asp
- %decryptedURL%vxcbe.asp
- %decryptedURL%fxcgw.asp
- %decryptedURL%cxooe.asp
- %decryptedURL%hcvbe.asp
- %decryptedURL%dpwei.asp
- %decryptedURL%sciti.asp
- %decryptedURL%wxkfk.asp
- %decryptedURL%eqoye.asp
- %decryptedURL%tjvgt.asp
- %decryptedURL%gsccw.asp
- %decryptedURL%bcxbu.asp
- %decryptedURL%nxcxw.asp
- %decryptedURL%ycbnb.asp
- %decryptedURL%xubwe.asp
- %decryptedURL%sriuy.asp
- %decryptedURL%wfgkk.asp
- %decryptedURL%bxcwe.asp
- %decryptedURL%hciow.asp
- %decryptedURL%kdeui.asp
- %decryptedURL%pdcbh.asp
- %decryptedURL%cklel.asp
- %decryptedURL%lxchh.asp
- %decryptedURL%tdghg.asp
- %decryptedURL%qjgix.asp
Where %decryptedURL% is the URL contained in the downloaded addr.gif file.
Depending on the response from the above URLs the malware can issue a CMD to give a malicious hacker access to run any command. The malware can also:
- Collect information about the drives and folders on your PC
- Download files
- Exit its own (malware) process
- Stop some processes on your PC
Analysis by Jonathan San Jose
