Backdoor:Win32/Wolyx.A is a backdoor trojan that connects to a remote IP address using a random port. It allows an attacker to remotely access the computer and perform various actions. It is packaged with another backdoor malware capable of running in the Mac OSX operating system, Backdoor:MacOS_X/Olyx.A.
Installation
Upon execution, Backdoor:Win32/Wolyx.A drops a component file in the following location:
- %ProgramFiles%\Common Files\Microsoft Shared\Office12\mso32.dll
It adds the following registry key and entry to allow its component file to execute when Windows starts:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\mswsock32
Sets value: "PathName"
With data: "%ProgramFiles%\Common Files\Microsoft Shared\Office12\mso32.dll"
As part of its installation process Backdoor:Win32/Wolyx.A checks if it is running under the following processes:
- svchost.exe
- iexplore.exe
- lsass.exe
- avp.exe
- 360tray.exe
- dumprep.exe
- 360sd.exe
- 360rp.exe
- dsmain.exe
- 360safe.exe
- Traveler.exe
- Maxthon.exe
- Theworld.exe
- firefox.exe
Payload
Monitors and logs applications used in the computer
Backdoor:Win32/Wolyx.A injects code to "winlogon.exe" and "svchost.exe" to monitor the applications used on the affected computer. It also logs the application and window names. It also installs a keylogger to log all keystrokes performed in every application.
Monitor internet traffic
Backdoor:Win32/Wolyx.A registers its DLL component as a Layered Service Provider (LSP) in order to monitor, intercept, and modify inbound and outbound Internet traffic on the computer.
It modifies the following registry entries to perform these actions.
In subkeys:
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
Sets value: "PackedCatalogItem" With data: "%ProgramFiles%\Common Files\Microsoft Shared\OFFICE12\MSO32.DLL"
Collects user, computer, and network information
Backdoor:Win32/Wolyx.A collects the following information:
- Computer name
- User name and cached password
- Processor speed
- Installed memory
- Free disk space
- System settings
- Operating system version
- Service pack version
- Email address
- Email password
- Available drives
Allows backdoor access and control
Backdoor:Win32/Wolyx.A opens up a connection to allow access to remote users.
It is capable of remotely performing the following backdoor commands:
- Create and disable a service or manipulate an existing service setting
- Hide an application window
- Perform the following file and folder functions:
- Delete file or folder content
- Change file or folder attribute
- Move file or folder
- Create file or folder
- Traverse folders
- Open folder in Windows Explorer
- Restart or shut the computer down
- Create, modify, or delete registry keys and entries
- Open up a command shell
- Enumerate running processes and sessions
Additional information
Upon execution Backdoor:Win32/Wolyx.A checks for the existence of the following legitimate files:
- %ProgramFiles%\Common Files\Microsoft Shared\DAO\dao120.dll
- %ProgramFiles%\Common Files\sqlite3.dll
These are related to database management systems.
Analysis by Zarestel Ferrer
