Backdoor:Win32/Sereki.A is a backdoor trojan that connects to certain sites, possibly to download other malware. It also ensures that it can continuously communicate to a remote server by opening up two ports.
Installation
When executed, this trojan drops the following files in the Windows system folder, both of which are detected as Backdoor:Win32/Sereki.A:
To register itself as a library, Backdoor:Win32/Sereki.A runs the following command, which ensures the DLL file is loaded into "explorer.exe":
C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\hmlphl.dll
It also modifies the system registry to enable it to run every time Windows starts:
Adds value: "1"
With data: "<system folder>\mrcmgr.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Modifies value: "Userinit"
With data: "<system folder>\userinit.exe,<system folder>\mrcmgr.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Backdoor:Win32/Sereki.A also drops the following files in the Windows system folder:
It then registers "prxsmr.dll" as a Browser Helper Object (BHO) by creating the following registry subkeys:
HKLM\SOFTWARE\Classes\MSApp.BhoApp.1
HKLM\SOFTWARE\Classes\MSApp.BhoApp
HKLM\SOFTWARE\Classes\CLSID\{AAD1C6AD-10AB-4cae-97FB-0AADDEC8A14B}
HKLM\SOFTWARE\Classes\TypeLib\{DC8305B3-1EE7-4D58-83EF-2C5BC6C6566C}
HKLM\SOFTWARE\Classes\Interface\{F3619035-750E-4A0A-8FB2-31D5C4BDC2D4}
Payload
Backdoor Functionality
Backdoor:Win32/Sereki.A modifies the following registry entries to assist in bypassing the system firewall:
Adds value: "hp"
With data: "21127"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{DC3D9EE3-8304-4228-ADC2-234D035FEB89}\InprocServer32
Adds value: "21127:TCP"
With data: "21127:tcp:*:enabled:port"
To subkey: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
Adds value: "17111:TCP"
With data: "17111:tcp:*:enabled:port"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
The above registry modifications ensure that TCP ports 21127 and 17111 are continuously open.
It also modifies the registry so that "hmlphl.dll", by way of "explorer.exe", can by pass the firewall:
Adds value: "%windir%\explorer.exe"
With data: "%windir%\explorer.exe:*:enabled:explorer"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Adds value: "windows explorer"
With data: "C:\WINDOWS\explorer.exe"
To subkey: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\
Backdoor:Win32/Sereki.A attempts to connect to the good-herbal.com and IP address 62.176.17.6, possibly to download and install other malware.
Analysis by Andrei Florin Saygo
