Content

BackDoor-AWQ.b

Type
Trojan
SubType
Remote Access
Discovery Date
01/06/2004
Length
varies
Minimum DAT
4313 (01/07/2004)
Updated DAT
6546 (11/30/2011)
Minimum Engine
5.3.00
Description Added
01/06/2004
Description Modified
07/29/2010 5:01 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update July 29, 2010 --

File Information

  • MD5  -  CF7568B7C1435A0DBCEA32F5E3CA9565
  • SHA  - 0293303917A5CCA64CAF7F70A567F587E89D99D0

Aliases

  • Ikarus         - Backdoor.Win32.ServU-based
  • Kaspersky  - not-a-virus:Server-FTP.Win32.Serv-U.gme
  • NOD32      - a variant of Win32/ServU-Daemon
  • TrendMicro - BKDR_SERVU.AK

When executed, the malware binary drops the following files.

  • %Userprofile%\Desktop\xpab2res.dll (Config file)
  • %Userprofile%\Application Data\TEMP\675FB12C.TMP

The following registry key has been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}\Programmable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Licenses

The following registry values have been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}\whKsxicpXx: "]ho\pxnv|uRCwSNcNNTG|"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}\nvuxEnldix: "Q[xjQBFIb^{UYTpQnJdZZc{Gh"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}\DAaejunnJixd: "^]OmdtHH\U[~afYwswQwfgWyjE}TA"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}\izXcnzfRcNwqy: "cBhq@S\GUeTDIofQRT\H"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}\CaaarqvZKkfi: "`BX|uVAPKpGr_E@mej][y"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}\mGnmuozex: "jiL|SoYP[hBSh~{uZ^gTG@u]D"

This gives access to the attacker for backdoor activity and also sends the details of compromised user information to the attacker.

Once the system is compromised, the trojan gives access to the attacker to perform various backdoor activities. The dropped trojan file acts as a server and it will perform the commands which it receives from the client.

This server file also stores users information in a log file and send it to the attacker

[%UserProfile% is c:\Documents and Settings\Administrator\]

 

--------------------------------------------------------------------------------------------------

-- Update July 12, 2010 --

File Information-

    • MD5 - A84437AA6D9B829EE4DBA018AF963854
    • SHA1 - 875B700CF26283EA6E57E9D2970BBF8DC16BD348

Aliases –

    • AVG - BackDoor.Generic12.KBY
    • F-Secure - MemScan:Backdoor.Generic.200723
    • Microsoft - Backdoor:Win32/FlyAgent.F
    • NOD32 - Win32/FlyStudio.NYH

Upon execution this Trojan copies itself into the following location

    • %Windir%\System32\372109\C00285.EXE [Detected as BackDoor-AWQ.b]

This Trojan injects into the explorer.exe and performs backdoor activity and it drops the files into the following location

    • %Windir%\System32\499E86\cnvpe.fne
    • %Windir%\System32\499E86\dp1.fne
    • %Windir%\System32\499E86\eAPI.fne
    • %Windir%\System32\499E86\HtmlView.fne
    • %Windir%\System32\499E86\internet.fne
    • %Windir%\System32\499E86\krnln.fnr
    • %Windir%\System32\499E86\shell.fne
    • %Windir%\System32\499E86\spec.fne
    • %Windir%\System32\499E86\RegEx.fnr
    • %Temp%\E_N4\cnvpe.fne
    • %Temp%\E_N4\dp1.fne
    • %Temp%\E_N4\eAPI.fne
    • %Temp%\E_N4\HtmlView.fne
    • %Temp%\E_N4\internet.fne
    • %Temp%\E_N4\krnln.fnr
    • %Temp%\E_N4\shell.fne
    • %Temp%\E_N4\spec.fne

It may also create a link in the Startup folder that points to the dropped copy

    • %UserProfile%\Start Menu\Programs\Startup\C00285.lnk

The above entry confirms that the Trojan executes always when windows boots

The following folders have been added to the system
    • %Windir%\System32\372109
    • %Windir%\System32\499E86
    • %Windir%\System32\2B4FA4
    • %Windir%\System32\A9C3FF
    • %Temp%\E_N4

%Userprofile% - C:\Documents and Settings\[UserName]
%Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)

---------

-- Update December 17, 2009 --

A new variant of this thread was identified with the characteristics below:

This variant was observed being dropped by Generic Dropper.mx.

This file is a DLL with randomly named exports:

  • 0x00001820h    hfburt
  • 0x00001930h    nrufk
  • 0x00001A40h    vwsknm
  • 0x00001950h    wllpsdg

Upon execution, it add the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid\url0: <DATA>
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe rundll32.exe wdni.buo nrufk"

(Where <DATA>represent some hexadecimal data)

It then start %WINDIR%\system32\svchost.exe, and inject itself in this new instance. Upon execution, it connects to the following website:

  • http://193.[removed].91/limpopo/bb.php?id=[removed]&v=[removed]&tm=[removed]&b=[removed]

This page returns the following message, which could contain commands to update the malware:

  • [info]delay:45|upd:0|backurls:[/info]

--

This detection is for a remote access trojan written in Borland Delphi. An email message constructed to download and execute the trojan is known to have been spammed to users.

The spammed message is constructed in HTML format.It is likely to have a random subject line, and its body is likely to bear a head portrait of a lady (loaded from a remote server upon viewing the message):

The body contains HTML tags to load a second file from a remote server. This file is MIME, and contains the remote access trojan (base64 encoded).

Installation

Upon execution, the trojan installs itself into the %SysDir% directory as GRAYPIGEON.EXE. A DLL file is extracted and also copied to this directory:

  • %SysDir%\GRAYPIGEON.EXE
    (system and hidden attributes set)
  • %SysDir%\GRAYPIGEON.DLL

(Where %Sysdir% is the Windows System directory, for example C:\WINNT\SYSTEM32)

The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\RunOnce  "ScanRegedit" = "%SysDir%\GRAYPIGEON.EXE"

The DLL file (which contains the backdoor functionality) is injected into the EXPLORER.EXE process on the victim machine. This method is typically used to bypass personal firewall settings (explorer.exe is often excluded from firewall rules).

Once running, the hacker is able to perform various tasks, including:

  • Opening closing the CD
  • Opening an FTP server on the victim machine
  • Retrieve information from victim machine (OS, CPU, memory etc)

Symptoms

  • The spammed message contains links to the image and the encoded trojan at the following server:

    http://ns1.jilinfarm.com/member/(blocked)/index.mht
  • Outgoing HTTP traffic will be seen from the victim machine, to the following server for example:

    http://shaowenqi.3322.org
  • Existence of the files/Registry keys detailed above

Method of Infection

A HTML email message intended to download and execute this trojan is known to have been spammed to users.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

-- Update July 29, 2010 --

File Information

  • MD5  -  CF7568B7C1435A0DBCEA32F5E3CA9565
  • SHA  - 0293303917A5CCA64CAF7F70A567F587E89D99D0

Aliases

  • Ikarus         - Backdoor.Win32.ServU-based
  • Kaspersky  - not-a-virus:Server-FTP.Win32.Serv-U.gme
  • NOD32      - a variant of Win32/ServU-Daemon
  • TrendMicro - BKDR_SERVU.AK

When executed, the malware binary drops the following files.

  • %Userprofile%\Desktop\xpab2res.dll (Config file)
  • %Userprofile%\Application Data\TEMP\675FB12C.TMP

The following registry key has been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}\Programmable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Licenses

The following registry values have been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}\whKsxicpXx: "]ho\pxnv|uRCwSNcNNTG|"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}\nvuxEnldix: "Q[xjQBFIb^{UYTpQnJdZZc{Gh"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}\DAaejunnJixd: "^]OmdtHH\U[~afYwswQwfgWyjE}TA"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}\izXcnzfRcNwqy: "cBhq@S\GUeTDIofQRT\H"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}\CaaarqvZKkfi: "`BX|uVAPKpGr_E@mej][y"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72200EE-479A-B3B3-1065-DD1E1065DD1E}\mGnmuozex: "jiL|SoYP[hBSh~{uZ^gTG@u]D"

This gives access to the attacker for backdoor activity and also sends the details of compromised user information to the attacker.

Once the system is compromised, the trojan gives access to the attacker to perform various backdoor activities. The dropped trojan file acts as a server and it will perform the commands which it receives from the client.

This server file also stores users information in a log file and send it to the attacker

[%UserProfile% is c:\Documents and Settings\Administrator\]

 

--------------------------------------------------------------------------------------------------

-- Update July 12, 2010 --

File Information-

    • MD5 - A84437AA6D9B829EE4DBA018AF963854
    • SHA1 - 875B700CF26283EA6E57E9D2970BBF8DC16BD348

Aliases –

    • AVG - BackDoor.Generic12.KBY
    • F-Secure - MemScan:Backdoor.Generic.200723
    • Microsoft - Backdoor:Win32/FlyAgent.F
    • NOD32 - Win32/FlyStudio.NYH

Upon execution this Trojan copies itself into the following location

    • %Windir%\System32\372109\C00285.EXE [Detected as BackDoor-AWQ.b]

This Trojan injects into the explorer.exe and performs backdoor activity and it drops the files into the following location

    • %Windir%\System32\499E86\cnvpe.fne
    • %Windir%\System32\499E86\dp1.fne
    • %Windir%\System32\499E86\eAPI.fne
    • %Windir%\System32\499E86\HtmlView.fne
    • %Windir%\System32\499E86\internet.fne
    • %Windir%\System32\499E86\krnln.fnr
    • %Windir%\System32\499E86\shell.fne
    • %Windir%\System32\499E86\spec.fne
    • %Windir%\System32\499E86\RegEx.fnr
    • %Temp%\E_N4\cnvpe.fne
    • %Temp%\E_N4\dp1.fne
    • %Temp%\E_N4\eAPI.fne
    • %Temp%\E_N4\HtmlView.fne
    • %Temp%\E_N4\internet.fne
    • %Temp%\E_N4\krnln.fnr
    • %Temp%\E_N4\shell.fne
    • %Temp%\E_N4\spec.fne

It may also create a link in the Startup folder that points to the dropped copy

    • %UserProfile%\Start Menu\Programs\Startup\C00285.lnk

The above entry confirms that the Trojan executes always when windows boots

The following folders have been added to the system
    • %Windir%\System32\372109
    • %Windir%\System32\499E86
    • %Windir%\System32\2B4FA4
    • %Windir%\System32\A9C3FF
    • %Temp%\E_N4

%Userprofile% - C:\Documents and Settings\[UserName]
%Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)

---------

-- Update December 17, 2009 --

A new variant of this thread was identified with the characteristics below:

This variant was observed being dropped by Generic Dropper.mx.

This file is a DLL with randomly named exports:

  • 0x00001820h    hfburt
  • 0x00001930h    nrufk
  • 0x00001A40h    vwsknm
  • 0x00001950h    wllpsdg

Upon execution, it add the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid\url0: <DATA>
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe rundll32.exe wdni.buo nrufk"

(Where <DATA>represent some hexadecimal data)

It then start %WINDIR%\system32\svchost.exe, and inject itself in this new instance. Upon execution, it connects to the following website:

  • http://193.[removed].91/limpopo/bb.php?id=[removed]&v=[removed]&tm=[removed]&b=[removed]

This page returns the following message, which could contain commands to update the malware:

  • [info]delay:45|upd:0|backurls:[/info]

--

This detection is for a remote access trojan written in Borland Delphi. An email message constructed to download and execute the trojan is known to have been spammed to users.

The spammed message is constructed in HTML format.It is likely to have a random subject line, and its body is likely to bear a head portrait of a lady (loaded from a remote server upon viewing the message):

The body contains HTML tags to load a second file from a remote server. This file is MIME, and contains the remote access trojan (base64 encoded).

Installation

Upon execution, the trojan installs itself into the %SysDir% directory as GRAYPIGEON.EXE. A DLL file is extracted and also copied to this directory:

  • %SysDir%\GRAYPIGEON.EXE
    (system and hidden attributes set)
  • %SysDir%\GRAYPIGEON.DLL

(Where %Sysdir% is the Windows System directory, for example C:\WINNT\SYSTEM32)

The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\RunOnce  "ScanRegedit" = "%SysDir%\GRAYPIGEON.EXE"

The DLL file (which contains the backdoor functionality) is injected into the EXPLORER.EXE process on the victim machine. This method is typically used to bypass personal firewall settings (explorer.exe is often excluded from firewall rules).

Once running, the hacker is able to perform various tasks, including:

  • Opening closing the CD
  • Opening an FTP server on the victim machine
  • Retrieve information from victim machine (OS, CPU, memory etc)

Symptoms

Symptoms -

  • The spammed message contains links to the image and the encoded trojan at the following server:

    http://ns1.jilinfarm.com/member/(blocked)/index.mht
  • Outgoing HTTP traffic will be seen from the victim machine, to the following server for example:

    http://shaowenqi.3322.org
  • Existence of the files/Registry keys detailed above

Method of Infection

Method of Infection -

A HTML email message intended to download and execute this trojan is known to have been spammed to users.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

    N/A