Content

BackDoor-CKB

Type
Trojan
SubType
Remote Access
Discovery Date
02/09/2005
Length
Varies
Minimum DAT
4400 (10/20/2004)
Updated DAT
6528 (11/12/2011)
Minimum Engine
5.4.00
Description Added
10/20/2004
Description Modified
11/04/2011 3:09 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-----------------Updated Nov 04, 2011---------------------------

BackDoor-CKB is a backdoor that allow unauthorized access and control of a compromised computer to the remote attacker. It is dropped by BackDoor-CKB.dr. Once the dropper is executed it will drop the DLL and the configuration files for BackDoor-CKB, and install the DLL as a service.

The dropper creates a compressed version of the DLL at the following location:

  • %USERPROFILE%\Local Settings\Temp\~tmp010101.jpg

The dropper will then exit.

The dll file is copied to the following path:

  • %SystemRoot%\system32\sensext.dll

The service SENS is modified to point to the new DLL, and the service is started.

Following configuration files are created.

  • %SystemRoot%\system32\sensext.nt
  • %SystemRoot%\system32\english.nls

They are compressed with a custom algorithm and contain the IP address used by the malware to communicate. These data files, as well as the compressed copy of the DLL, are detected as BackDoor-CKB!dat

Once the DLL service is started, It attempts to connect remote hosts port 443. The following IP address is configured as command and control server:

  • 111.[removed].92:443

The backdoor checks the following registry information and connect to remote hosts via a proxy server if exists.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer ProxyEnable

The backdoor has following functions to control infected machines.

  • Sends Disk/Volume Information
  • Download/Upload files
  • Create/Modify/Remove files and directories
  • Search files
  • Provide Remote shell (cmd.exe)

-----------------Updated Dec 13, 2010---------------------------

BackDoor-CKB is a backdoor that allow unauthorized access and control of an compromised computer to the remote attacker. This malware registers self with the compromised user as a Installed Components.  This trojan spawns an iexplore.exe process which is responsible for opening the backdoor.


Upon execution, the malware binary deletes self and copies to the following system location.

  • %AppData%\iexplorer.exe


Going by the file name, the malware binary pretends it to be a legitimate "iexplore.exe" running at the background whereas it is actually not.


When executed, the following registry entry was added to the compromised user system.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{261C7F25-5C46-F6B0-2881-80D3E90588EE}\]
    • StubPath: "%AppData%\iexplorer.exe"[path of the malware]


The above mentioned registry entry confirms that the malware binary is triggered on every reboot.

When executed, the malware binary tries to connect to the following dns servers which is down as of now.

  • acm[removed].com
  • insta[removed].com
  • prox[removed].com


The malware binary writes into the memory of "explorer.exe" process, which causes it to spawn "iexplore.exe" process which in turn opens up a backdoor to accept commands from the remote attacker.

These are the defaults for typical path variables. (Although they may differ, these are common examples):


%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32
%AppData% = \Documents and Settings\Administrator\Application Data\

----------------------------------------------------------------------

This is a remote access trojan.

When run, this trojan drops PCClient.dll to the windows directory, typically:

C:\Windows\PCClient.dll

Then it adds the following registry entry.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer\Run system32 = (File path)

Then this trojan injects the dll in to the process of “IExplorer.exe”.

This dll attempts to query a remote DNS server with "7oo.meibu.com". Then it makes http connections to the site and sends hardware information including the computer name, CPU, memory status, and drive information. This trojan also waits for commands from the remote site.

Symptoms

  • Unexpected http access to the site mentioned above
  • Existence of the file and registry key mentioned above

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information:

  • MD5  - 86464699fa0edc9ac84a2c36b4705eea
  • SHA1  - 272b167a995af161db95c918a5bdf065a02eb279

Aliases:

  • Microsoft  - Backdoor:Win32/Poison.A
  • Kaspersky  - Trojan.Win32.Inject.aynr
  • BitDefender - Backdoor.PoisonIvy.HN
  • AVG  - BackDoor.Generic13.UKF

Characteristics

Characteristics -

-----------------Updated Nov 04, 2011---------------------------

BackDoor-CKB is a backdoor that allow unauthorized access and control of a compromised computer to the remote attacker. It is dropped by BackDoor-CKB.dr. Once the dropper is executed it will drop the DLL and the configuration files for BackDoor-CKB, and install the DLL as a service.

The dropper creates a compressed version of the DLL at the following location:

  • %USERPROFILE%\Local Settings\Temp\~tmp010101.jpg

The dropper will then exit.

The dll file is copied to the following path:

  • %SystemRoot%\system32\sensext.dll

The service SENS is modified to point to the new DLL, and the service is started.

Following configuration files are created.

  • %SystemRoot%\system32\sensext.nt
  • %SystemRoot%\system32\english.nls

They are compressed with a custom algorithm and contain the IP address used by the malware to communicate. These data files, as well as the compressed copy of the DLL, are detected as BackDoor-CKB!dat

Once the DLL service is started, It attempts to connect remote hosts port 443. The following IP address is configured as command and control server:

  • 111.[removed].92:443

The backdoor checks the following registry information and connect to remote hosts via a proxy server if exists.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer ProxyEnable

The backdoor has following functions to control infected machines.

  • Sends Disk/Volume Information
  • Download/Upload files
  • Create/Modify/Remove files and directories
  • Search files
  • Provide Remote shell (cmd.exe)

-----------------Updated Dec 13, 2010---------------------------

BackDoor-CKB is a backdoor that allow unauthorized access and control of an compromised computer to the remote attacker. This malware registers self with the compromised user as a Installed Components.  This trojan spawns an iexplore.exe process which is responsible for opening the backdoor.


Upon execution, the malware binary deletes self and copies to the following system location.

  • %AppData%\iexplorer.exe


Going by the file name, the malware binary pretends it to be a legitimate "iexplore.exe" running at the background whereas it is actually not.


When executed, the following registry entry was added to the compromised user system.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{261C7F25-5C46-F6B0-2881-80D3E90588EE}\]
    • StubPath: "%AppData%\iexplorer.exe"[path of the malware]


The above mentioned registry entry confirms that the malware binary is triggered on every reboot.

When executed, the malware binary tries to connect to the following dns servers which is down as of now.

  • acm[removed].com
  • insta[removed].com
  • prox[removed].com


The malware binary writes into the memory of "explorer.exe" process, which causes it to spawn "iexplore.exe" process which in turn opens up a backdoor to accept commands from the remote attacker.

These are the defaults for typical path variables. (Although they may differ, these are common examples):


%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32
%AppData% = \Documents and Settings\Administrator\Application Data\

----------------------------------------------------------------------

This is a remote access trojan.

When run, this trojan drops PCClient.dll to the windows directory, typically:

C:\Windows\PCClient.dll

Then it adds the following registry entry.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer\Run system32 = (File path)

Then this trojan injects the dll in to the process of “IExplorer.exe”.

This dll attempts to query a remote DNS server with "7oo.meibu.com". Then it makes http connections to the site and sends hardware information including the computer name, CPU, memory status, and drive information. This trojan also waits for commands from the remote site.

Symptoms

Symptoms -

  • Unexpected http access to the site mentioned above
  • Existence of the file and registry key mentioned above

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants

Variants -

    N/A