Backdoor:Win32/Syrutrk.A is a trojan that allows unauthorized access and control of an affected computer. It may be used by a remote attacker to participate in Distributed Denial of Service attacks against specified hosts and may also install additional malware on an affected computer.
In the wild we have observed Backdoor:Win32/Syrutrk.A being downloaded and installed by
PWS:Win32/Daptdei.A.
Installation
When executed Backdoor:Win32/Syrutrk.A copies itself to <system folder>\wininet.exe and drops the following files:
Backdoor:Win32/Syrutrk.A makes the following registry modifications in order to load Backdoor:Win32/Syrutrk.B and to facilitate its actions:
Sets value: "SysRun"
With data: "{d7ffd784-5276-42d1-887b-00267870a4c7}"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Sets value: "(default)"
With data: "<system folder>\svshost.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Sets value: "DLLName"
With data: "<system folder>\svshost.dll"
Sets value: "EntryPoint"
With data: "w"
Sets value: "StackSize"
With data: 0
To subkey: HKLM\System\CurrentControlSet\Control\MPRServices\winsys
It also makes the following modification in order to add itself to the Windows Firewall authorized applications list:
Sets value: "C:\WINDOWS\system32\wininet.exe"
With data:"<system folder>\wininet.exe:*:enabled:windows xp update"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Payload
Installs additional malware
Backdoor:Win32/Syrutrk.A executes <system folder>\winint.exe, which in turn drops the following file:
It then modifies the registry to run this file at each system start:
Sets value: "WinDLL (service.exe)"
With data: "service.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Allows backdoor access and control
Backdoor:Win32/Syrutrk.A allows unauthorized access and control of an affected computer. Using this backdoor an attacker can perform the following actions:
- Command the affected computer to participate in a Distributed Denial of Service attack against specified targets. Backdoor:Win32/Syrutrk.A has been observed contacting the following domains to retrieve information regarding this attack:
work-lab.biz
nikemk.com
- Send information regarding the new infected to a remote host.
Analysis by Tim Liu