Backdoor.Generic.622690_a0a4cd62bf

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Backdoor creates the following process(es):

5ze4r5y5ry1DLL.exe:1168
%original file name%.exe:1552

The Backdoor injects its code into the following process(es):

svchost.exe:592
Explorer.EXE:1684

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process 5ze4r5y5ry1DLL.exe:1168 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jmd1.tmp (11010 bytes)

The process %original file name%.exe:1552 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%WinDir%\Explorer32DLL.exe (23913 bytes)
%WinDir%\5ze4r5y5ry1DLL.exe (307 bytes)

The Backdoor deletes the following file(s):

%WinDir%\Explorer32DLL.exe (0 bytes)

Registry activity

The process 5ze4r5y5ry1DLL.exe:1168 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 75 97 34 2D 63 7A B0 B3 0F 1E 1F 97 0A B7 FB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft]
"svchost.exe" = "svchost"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:1552 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 9A 26 C6 76 A0 EA 9D 37 B7 93 7A C3 7C BF CA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{{DML7J752-5356-4Z46-B4TB-NY2A1F738Y0I}}]
"StubPath" = "%WinDir%\Explorer32DLL.exe"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Explorer" = "%WinDir%\Explorer32DLL.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Explorer" = "%WinDir%\Explorer32DLL.exe"

Dropped PE files

MD5	File path
ec9a9078a8452ee622741d60648f5343	c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\svchost.exe
685f1cbd4af30a1d0c25f252d399a666	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\jmd1.tmp
ec9a9078a8452ee622741d60648f5343	c:\WINDOWS\5ze4r5y5ry1DLL.exe
5d1978c42c8ddcd2db3ec9cd37cae1fe	c:\%original file name%.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   5ze4r5y5ry1DLL.exe:1168
   %original file name%.exe:1552
   

2. Delete the original Backdoor file.
   
3. Delete or disinfect the following files created/modified by the Backdoor:

   %Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\jmd1.tmp (11010 bytes)
   %WinDir%\Explorer32DLL.exe (23913 bytes)
   %WinDir%\5ze4r5y5ry1DLL.exe (307 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "svchost.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Explorer" = "%WinDir%\Explorer32DLL.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Explorer" = "%WinDir%\Explorer32DLL.exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 6, 0
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 3, 3, 6, 0File Description: Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	524311	524800	4.59881	6c20c6bf686768b6f134f5bd508171bc
.rdata	532480	55644	55808	3.15551	321c940899050104ced482b1e5bf7a0e
.data	589824	107800	26624	1.52615	e5d77411f751d28c6eee48a743606795
.rsrc	700416	26224	26624	3.55864	89967892fb8c209a8bdb03cb6dfa960f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

svchost.exe_592:

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

P.tqn

P.tqn

kernel32.dll

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

oleaut32.dll

EVariantBadIndexError

EVariantBadIndexError

SQL error or missing database

SQL error or missing database

An internal logic error in SQLite

An internal logic error in SQLite

Operation terminated by sqlite3_interrupt()

Operation terminated by sqlite3_interrupt()

Uses OS features not supported on host

Uses OS features not supported on host

2nd parameter to sqlite3_bind out of range

2nd parameter to sqlite3_bind out of range

sqlite3_step() has another row ready

sqlite3_step() has another row ready

sqlite3_step() has finished executing

sqlite3_step() has finished executing

Unknown SQLite Error Code "

Unknown SQLite Error Code "

ESQLiteException

ESQLiteException

TSQLiteDatabase

TSQLiteDatabase

TSQLiteTable

TSQLiteTable

sqlite3_open

sqlite3_open

sqlite3_errmsg

sqlite3_errmsg

sqlite3_free

sqlite3_free

sqlite3_close

sqlite3_close

sqlite3_last_insert_rowid

sqlite3_last_insert_rowid

sqlite3_total_changes

sqlite3_total_changes

sqlite3_errcode

sqlite3_errcode

sqlite3_bind_text

sqlite3_bind_text

sqlite3_bind_int

sqlite3_bind_int

sqlite3_bind_int64

sqlite3_bind_int64

sqlite3_bind_double

sqlite3_bind_double

sqlite3_bind_null

sqlite3_bind_null

sqlite3_bind_blob

sqlite3_bind_blob

sqlite3_prepare_v2

sqlite3_prepare_v2

sqlite3_step

sqlite3_step

sqlite3_reset

sqlite3_reset

sqlite3_finalize

sqlite3_finalize

sqlite3_prepare

sqlite3_prepare

sqlite3_busy_timeout

sqlite3_busy_timeout

sqlite3_libversion

sqlite3_libversion

sqlite3_create_collation

sqlite3_create_collation

sqlite3_bind_parameter_index

sqlite3_bind_parameter_index

sqlite3_changes

sqlite3_changes

sqlite3_column_count

sqlite3_column_count

sqlite3_column_name

sqlite3_column_name

sqlite3_column_decltype

sqlite3_column_decltype

sqlite3_column_type

sqlite3_column_type

sqlite3_column_int64

sqlite3_column_int64

sqlite3_column_double

sqlite3_column_double

sqlite3_column_bytes

sqlite3_column_bytes

sqlite3_column_blob

sqlite3_column_blob

sqlite3_column_text

sqlite3_column_text

Failed to open database "%s" : %s

Failed to open database "%s" : %s

Failed to open database "%s" : unknown error

Failed to open database "%s" : unknown error

Error [%d]: %s.

Error [%d]: %s.

"%s": %s

"%s": %s

Error executing SQL

Error executing SQL

Could not prepare SQL statement

Could not prepare SQL statement

Error executing SQL statement

Error executing SQL statement

SQLite is Busy

SQLite is Busy

udprec

udprec

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

:\autorun.inf

:\autorun.inf

icon=%SystemRoot%\system32\SHELL32.dll,4

icon=%SystemRoot%\system32\SHELL32.dll,4

\Mozilla Firefox\

\Mozilla Firefox\

nss3.dll

nss3.dll

mozcrt19.dll

mozcrt19.dll

sqlite3.dll

sqlite3.dll

nspr4.dll

nspr4.dll

plc4.dll

plc4.dll

plds4.dll

plds4.dll

nssutil3.dll

nssutil3.dll

softokn3.dll

softokn3.dll

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

userenv.dll

userenv.dll

\Mozilla\Firefox\

\Mozilla\Firefox\

profiles.ini

profiles.ini

\signons3.txt

\signons3.txt

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\profiles.ini

signons.sqlite

signons.sqlite

SELECT * FROM moz_logins

SELECT * FROM moz_logins

encryptedPassword

encryptedPassword

Urlmon.dll

Urlmon.dll

Shell32.dll

Shell32.dll

URLDownloadToFileA

URLDownloadToFileA

ShellExecuteA

ShellExecuteA

Future Windows version (unknown)

Future Windows version (unknown)

Windows

Windows

UDPPROG1|

UDPPROG1|

UDPStart|

UDPStart|

SOFTWARE\Mozilla\Mozilla Firefox\

SOFTWARE\Mozilla\Mozilla Firefox\

WEBDL

WEBDL

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

svchost.exe

svchost.exe

user32.dll

user32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegCreateKeyExA

RegCreateKeyExA

GetCPInfo

GetCPInfo

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

wsock32.dll

wsock32.dll

shell32.dll

shell32.dll

5 5$5(5,5054585

5 5$5(5,5054585

>">*>2>:>

>">*>2>:>

: :$:(:,:0:4:8:<:>

: :$:(:,:0:4:8:<:>

SQLite3

SQLite3

KWindows

KWindows

UrlMon

UrlMon

SQLiteTable3

SQLiteTable3

Kernel32.dll

Kernel32.dll

ADVAPI32.dll

ADVAPI32.dll

Software\Microsoft\Windows\CurrentVersion\Explorer

Software\Microsoft\Windows\CurrentVersion\Explorer

Cannot open file "%s". %s

Cannot open file "%s". %s

Invalid data type for '%s' List capacity out of bounds (%d)

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

List index out of bounds (%d) Out of memory while expanding memory stream

Failed to get data for '%s'

Failed to get data for '%s'

Failed to set data for '%s'

Failed to set data for '%s'

%s.Seek not implemented$Operation not allowed on sorted list

%s.Seek not implemented$Operation not allowed on sorted list

Thread creation error: %s

Thread creation error: %s

Thread Error: %s (%d)

Thread Error: %s (%d)

Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%String list does not allow duplicates

Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%String list does not allow duplicates

Cannot create file "%s". %s

Cannot create file "%s". %s

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Operation not supported

External exception %x

External exception %x

Interface not supported

Interface not supported

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value('%s' is not a valid floating point value

!'%s' is not a valid integer value('%s' is not a valid floating point value

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

svchost.exe_592_rwx_00427000_00001000:

Kernel32.dll

Kernel32.dll

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

Software\Microsoft\Windows\CurrentVersion\Explorer

Software\Microsoft\Windows\CurrentVersion\Explorer

svchost.exe_592_rwx_008B1000_00071000:

UDPSockError

UDPSockError

NMUDP

NMUDP

Errmsg

Errmsg

Port

Port

TNMUDP

TNMUDP

RemotePort

RemotePort

LocalPort

LocalPort

ReportLevelLk

ReportLevelLk

0.0.0.0

0.0.0.0

%d.%d.%d.%d

%d.%d.%d.%d

AutoHotkeys

AutoHotkeys

:].tJ

:].tJ

EInvalidGraphicOperation,0

EInvalidGraphicOperation,0

EInvalidGraphicOperation

EInvalidGraphicOperation

KeyPreview,

KeyPreview,

WindowState

WindowState

OnKeyDown

OnKeyDown

OnKeyPressdz

OnKeyPressdz

OnKeyUp

OnKeyUp

ssHotTrack

ssHotTrack

TWindowState

TWindowState

poProportional

poProportional

TWMKey

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

vcltest3.dll

TDragOperation

TDragOperation

TKeyEvent

TKeyEvent

TKeyPressEvent

TKeyPressEvent

crSQLWait

crSQLWait

%s (%s)

%s (%s)

IMM32.DLL

IMM32.DLL

EInvalidOperation

EInvalidOperation

%s[%d]

%s[%d]

%s_%d

%s_%d

USER32.DLL

USER32.DLL

comctl32.dll

comctl32.dll

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

kernel32.dll

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

explorer.exe

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

*.TMP

Kernel32.dll

Kernel32.dll

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

readbook.exe

readbook.exe

rundll32.exe

rundll32.exe

*.exe

*.exe

*.scr

*.scr

UdpT

UdpT

UdpOnDataReceived

UdpOnDataReceived

xxtype.cpp

xxtype.cpp

derv->tpClass.tpcFlags & CF_HAS_BASES

derv->tpClass.tpcFlags & CF_HAS_BASES

Inappropriate I/O control operation

Inappropriate I/O control operation

Broken pipe

Broken pipe

Operation not permitted

Operation not permitted

%H:%M:%S

%H:%M:%S

%m/%d/%y

%m/%d/%y

%A, %B %d, %Y

%A, %B %d, %Y