Generic BackDoor.u

Content

Generic BackDoor.u

Type: Trojan
SubType: Win32
Discovery Date: 04/05/2005
Length: varies
Minimum DAT: 4461 (04/04/2005)
Updated DAT: 6548 (12/02/2011)
Minimum Engine: 5.4.00
Description Added: 04/04/2005
Description Modified: 06/20/2011 4:24 PM (PT)

Risk Assessment

Corporate User: Low-Profiled
Home User: Low-Profiled

Tab Navigation

Characteristics

--Updated on June 21st, 20110---

File Information

MD5 - 49DAA0B2857EA983593B73859E9CF80B
SHA - CABC772E29E30B7E3E53D2A9AAA0A7FAAA4D1BBA

Aliases

AVG - Generic22.CMYN
Symantec - Trojan.Gen
Ikarus - Trojan.Win32.Diple
Kaspersky - Trojan.Win32.Diple.py

When executed the Trojan drops the following files:

%Userprofile%\Start Menu\Programs\Startup\scandisk.lnk
%Userprofile%\Start Menu\Programs\Startup\scanndiskio92.dll
%Userprofile%\uload33.dll
%Systemdrive%\Documents and Settings\LocalService\uload33.dll
%Windir%\system32\uload33.dll
%Systemdrive%\scandisk.lnk
%Systemdrive%\scanndiskio92.dll

The following registry values have been added to the system.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
�NvCplDaemonTool� = "rundll32.exe C:\WINDOWS\system32\uload33.dll,_IWMPEvents"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\]
�NvCplDaemonTool� = "rundll32.exe C:\DOCUME~1\LOCALS~1\uload33.dll,_IWMPEvents"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\]
�NvCplDaemonTool� = "rundll32.exe C:\DOCUME~1\ADMINI~1\uload33.dll,_IWMPEvents"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\]
�NvCplDaemonTool� = "rundll32.exe C:\DOCUME~1\LOCALS~1\uload33.dll,_IWMPEvents"

The above entries confirm that the Trojan executes upon every system reboot.

--------------------------------------------------------------------------------

---- Updated on March 18th, 2010

File Information -

MD5 - 90B1621E5F91B6B01787F6C9FE548DF7
SHA - 94D7701B5D51B9FC4361C3F9118D404F1BDD0DA7

Aliases -

Kaspersky - Worm.Win32.AutoIt.xl
NOD32 - Win32/Tifaut.B
Ikarus - Worm.Win32.AutoIt
Microsoft - Worm:Win32/Renocide.gen!A

Characteristics �

When executed, the Trojan copies itself into the following location:

%Windir%\system32\csrcs.exe

And drops following files:

%Windir%\system32\autorun.inf
%Systemdrive%\khq

Also it drops an autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

;ceNSvxEzyuHeXrdqUmadoey

[AutoRun]

;IHZBiQniRDeueZYfynCLpGztYNlgEpEJHHcviQ

open=ecyuah.exe

;QaoqBzXlveKMuIHfsSr

shell\open\Command=ecyuah.exe

;tfqAexJLikKRVMrMmyaOZGwDpvqmXPZsHbHdXpwfiiRxXarivznudk

shell\open\Default=1

shell\explore\Command=ecyuah.exe

It then connects to the following websites to get the victim machine's IP address.

hxxp://www.whatismyip.com

The following registry key has been added to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

The following registry value has been added.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\]
"csrcs" = "%Windir%\system32\csrcs.exe"

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

The following registry values have been modified.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
"Shell" = "Explorer.exe csrcs.exe"

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.

[HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
"Hidden" = "0x00000002"

The above mentioned registry entries confirms that the Trojan prevents the compromised user to view the hidden files and folders in the system.

[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

-----

--Updated February 11th, 2010 ------

File Information

MD5 - D99D448CCE93024EFB620E3C920AED0A
SHA - D2897D4E122DD8104DE1FE352BCEB6402C34DE4C

Aliases

Kaspersky - Trojan.Win32.Buzus.ckem
NOD32 - Win32/AutoRun.IRCBot.DI
Ikarus - Trojan.Win32.Buzus
Microsoft - Worm:Win32/Pushbot.OJ

Upon execution the trojan tries to the connect to the site java.kut[Removed]mily.com through a remote port 81.

When executed, the malware binary copies itself into the following location.

%Windir%\system32\drivers\BSLBT.exe
:[Removable Drive]\ recycler\s-51-9-25-3434476501-1644491933-601013339-1214\bslbt.exe

This trojan also attempts to create an autorun.inf file on the root any accessible disk volumes:

The following registry key has been added to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

The following registry value has been added.

Below mentioned registry ensures that, the malware binary registers itself with the compromised system and execute itself upon every boot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
�Microsoft Driver Setup� = "%System%\drivers\BSLBT.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
�Microsoft Driver Setup� = "%System%\drivers\BSLBT.exe"

This Trojan terminates the following security software in the compromised system.

VIPRE.EXE
ISSDM_EN_32.EXE
P08PROMO.EXE
K7TS_SETUP.EXE
AVINSTALL.EXE
WITSETUP.EXE
TrendMicro_TISPro_16.1_1063_x32.EXE
VBA32-PERSONAL-LATEST-ENGLISH.EXE
CCSETUP210.EXE
FSMB32.EXE
FSGK32.EXE
FSAV95.EXE
SPIDERUI.EXE
SPIDERNT.EXE
ALERTMAN.EXE
RAVMOND.EXE
MAKEREPORT.EXE
BOXMOD.EXE
360SAFE.EXE
360RPT.EXE
360HOTFIX.EXE
MKSPC.EXE
MKSFWALL.EXE
MKSVIRMONSVC.EXE
MKS_SCAN.EXE
MKS_MAIL.EXE
MKSREGMON.EXE
KAVPFW.EXE
KASMAIN.EXE
KAV32.EXE
ARCACHECK.EXE
ARCAVIR.EXE
AVMENU.EXE
A2HIJACKFREE.EXE
A2SERVICE.EXE
A2START.EXE
A2SCAN.EXE
NOD32M2.EXE
NOD32CC.EXE
NOD32.EXE
NMAIN.EXE
NOD32KUI.EXE
MSASCUI.EXE
MSMPENG.EXE
MCUPDATE.EXE
SVCPRS32.EXE
ITMRTSVC.EXE
CCPROVSP.EXE
MDMCLS32.EXE
CAGLOBALLIGHT.EXE
CAPFUPGRADE.EXE
AVGWDSVC.EXE
ASHWEBSV.EXE
ASHMAISV.EXE
ASWUPDSV.EXE
ASHSERV.EXE
ASHDISP.EXE
AVCENTER.EXE
SCHED.EXE
WIRESHARK.EXE
SPYBOTSD.EXE
TEATIMER.EXE
SPYBOTSD160.EXE
PROCESSMONITOR.EXE
PROCDUMP.EXE
PG2.EXE
LORDPE.EXE
ICESWORD.EXE
REANIMATOR.EXE

Also this Trojan tries to connects to the following sites:

java.BALDM[Removed]WER.NET
java.BALDM[Removed]OWER.ORG
java.BALDM[Removed]OWER.COM

-------------------------------------------------------------------------------

--Updated January 19th, 2010 ------

File Information

MD5 - 68127FF189D9F8C417DF84D9A035E5E9
SHA - 4618E4E1DB77DE3EA17074DBA106D3C8F35FFA60

Aliases

AVG - Generic20.BCXN
TrendMicro - BKDR_POSTBOT.ER
Symantec - Trojan.Gen.2
Microsoft - Trojan:Win32/Dynamer!dtc

Upon execution the Trojan tries to connect to the site mcupdate.na[Removed]rver.ns2.name through a remote port 443.

This is a component that is intended to be executed on the victim's machine. It may be received via email, file-sharing network, IRC channel etc, or it could be installed by a dropper file.

When connected to the above site, this Trojan sends below mentioned information to the attacker.

Host Name
IP Address

Once the system is compromised, the Trojan gives access to the attacker to perform various backdoor activities. The dropped Trojan file acts as a server and it will perform the commands which it receives from the client.

The following registry key has been added to the system.

HKEY_LOCAL_MACHINE\tmp123

The following registry key values have been added to the system.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\MACHINE\]
�tmp123� = �\Device\HarddiskVolume1\Documents and Settings\All Users\ntuser.dat�

A mutex is created to ensure only one instance of the worm is running at a time.

siueu2dowg

-------------------------------------------------------------------------------------------

--Updated December 23rd 2010 ------

There is a new version of this threat which started to show rootkit behavior once installed on the system. The files may change slightly from one infection to another.

This new version installs two services in an infected system:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDSUpDvr = "%SYSTEM32%\drivers\LDSUpDvr.sys"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DCOMCheck = "dcomcheck.exe"

these files are usually hidden form the operating system.

Once executed, the service will contact the following domain over HTTPS:

cnn.911223.com

The initial communication is sent with information about the infected computer as described below.

--Updated December 21st 2010 ------

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information

MD5 - 19d85e165baaa5c03f7a7353ca98c9c4
SHA - 9085e30695784757ed90aa3bef3aa8af4f99703f

Aliases

Kaspersky - Backdoor.Win32.Poison.bxst
Symantec - Backdoor.Trojan
Ikarus - Backdoor.Win32.Poison
Microsoft - Backdoor:Win32/Poison.M

The Trojan tries to connect to the site �marmhao.ho[Removed]p.net�

This Trojan also opens a backdoor and allows the attacker to issue commands to control the compromised machines.

Its collects the information of the compromised system and sends to the attacker.

Computer name
And other information

--Updated December 8th 2010 ------

There is new variant of Generic BackDoor.u that connects to the following site
abcbb.911223.com

It then downloads file msimage.dat , which gathers machine information and sends into the above mentioned site.
It creates a registry run key to load itself at start up.
� HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

It�s observed that this malware spreads through a know java vulnerability CVE-2009-3867

--Updated December 1st 2010 ------

File Information �

MD5 : d1efd605c2c03d3b815a5cda0072a4c9
SHA1 : 9e5e0c23acfe11351f39e595a52a29044d59a0ee

Aliases -

Fortinet - HackerTool/ZXProxy
Kaspersky - not-a-virus:NetTool.Win32.ZXProxy.mh
Microsoft - Backdoor:Win32/Delf.B
Symantec - Infostealer

"Generic BackDoor.u" acts as a keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.) and sends to the attacker.

It connects to the following sites to perform malicious activity

[removed].china.com
[removed].3322.net
[removed].oray.net

This Trojan sends the following Windows system configuration details to the attacker through a remote server.

RegisteredOrganization
ProductId
RAM Size
CPU
ProcessorNameString
Number of Processors

Also the Trojan sends the following system information (computer name, processor information, OS version) to the attacker

Drive Information
Total Space
Free Space
Free Rate
Volume Information
Current Display Mode
System Directory
Host Name
Organization
RegisteredOwner
Owner

It opens a remote command shell which allows the server to execute commands by adding the following registry key

HKEY_LOCAL_MACHINE \SOFTWARE\Classes\HTTP\shell\open\command
USAGE: runas <PID>ExeFile
Example:
runas test.exe (run test.exe with the context of lsass.exe default.)
runas 724 test.exe (run test.exe with the context of specified pid.)
runas user password test.exe (run test.exe as user)
The Trojan creates the snapshots of the system and sends to the attacker.
It gathers contact details which is available in Address Book and dial to the listed contacts without user knowledge.
Also it will dial to remote systems for Password Recover tool to crack the windows 2k/xp/2003 versions.
It scans the remote ports using the following commands

TCP Port MultiScanner v1.0.
USAGE:
PortScan [-ip] <IP>[-p] <PORT>[-f] <OUTPUTFORMAT>[-timeout] sec [-thread] maxthread [-save] <FILENAME>
Example:
PortScan -ip 1.1.1.1-1.1.2.254 -p 80 -f "IP: %s:%d"
PortScan -ip 1.1.1.1-1.1.1.50,1.1.2.1-1.1.2.50 -p 21-23,3389
PortScan -ip 1.1.1.1,2.2.2.2 -p 1-65535 -save xx.txt -timeout 1 -thread 200

It Enumerate files by path, allowing the server to browse the contents of the file system.
It creates a mini proxy server in the name of ZXHttpProxy to communicate with remote system.
Also it enumerates terminal services sessions to show who is logged into the machine.

Upon execution, the following registry keys have been added to the system

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\zxplug
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security

The following registry values have been added

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security]
Security = [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters]
ServiceDll = "%WinDir%\System32\bakerinit.dll"
ServiceDllUnloadOnStop = 0x00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4]
Type = 0x00000120
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%WinDir%\System32\svchost.exe -k netsvcs"
DisplayName = "6to4"
ObjectName = "LocalSystem"

The above mentioned entries confirm that, the Trojan registers with the service name "6to4" in the system.

[Note: %WinDir � C:\Windows%]

-------------------

------------------Updated November 17th 2010 ------

Generic BackDoor.u is a generic detection name for Trojans that open a backdoor and allow the attacker to issue commands to control the compromised machines and may download malicious files.

File Information

MD5 - AE4CE941DB9DB863CBF4F6C416A70C63
SHA - 6F48DA825D1017D838914121AA500825F3ED8407

Aliases

AVG - BackDoor.Generic13.QSP
GData - Gen:Variant.Kazy.3089
Microsoft - Backdoor:Win32/Poison.M
Panda - Trj/CI.A

Upon execution the Trojan injects itself with IExplore.exe and connects to the IP address 201.57.[Removed].130 through a remote port 80.

When executed, the Trojan copies itself into the following location:

%Windir%\startmgr32.exe [Detected as Generic.dx!usf]

The following registry key has been added to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\259BFDF9-EACF-4F95-1F55-03209F01631D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WZCDLG
HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Visual Basic
HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Visual Basic\6.0

The following registry value has been added.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{259BFDF9-EACF-4F95-1F55-03209F01631D}\]
�StubPath� = �%Windir%\startmgr32.exe�

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
�Startup Manager� = �%Windir%\startmgr32.exe�

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

[%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000), %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

----------------------------------------------------------------------------------------------------------

Generic BackDoor.u is a generic detection name for trojans that open a backdoor and allow the attacker to issue commands to control the compromised machines. More information on Generic BackDoor deteections is available here.

Updated March 5th 2010

A new detection was added to this generic family. A dll by the name of Arucer.dll was found which is capable of allowing remote access to a system. This dll file is usually found located in the %System% folder and has an associated Run Key which allows it to restart on reboot.

rundll32 %System%\Arucer.dll,Arucer

The backdoor opens a port 7777 where it accepts connections. For any connection attempt, the first four bytes are obtained which are XOR'd with a 0xE5. Following the first 4 bytes, the backdoor accepts upto 0x800 bytes of data. This data is XOR'd with the same Key and the decrypted data is then interpreted as commands. There is a list of 9 commands. Some of the commands are as follows:

{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}
{F6C43E1A-1551-4000-A483-C361969AEC41}
{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}

During the time of testing though no malicious activity was observed, such a backdoor may allow attackers open access to machines

===============================================================================

There are several variants of this trojan. This description is for a specific sample.

On execution, the trojan copies itself in %SystemDir%and drops a dll file in %SystemDir% as {random_name}.dIl. random_name means that the name of this dll file, whose extension is dIl, may be different on different instances of execution of this trojan.

It then registers the dll as a COM object by creating registry entries under

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{<DLL_CLSID>}\

(where <DLL_CLSID>is the CLSID that the trojan associates with the dropped dll which may be different each time the trojan executes. An example of <DLL_CLSID>is F3972BD9-2B47-3F3D-A42C-B2B13A2C187D.)

It also drops and loads another dll from the following location :

X:\Documents and Settings\%User%\Local Settings\Temp\{random_name}.dll

(Where X: is the system drive letter e.g. C:, and %User% is the current user ID, random_name means that the name of the dll may be different on different instances of execution of this trojan)

To activate itself on reboot, the trojan may add itself under the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

It then opens a backdoor and listens for commands. The port on which the backdoor is opened may be random. Some of the commands it can accept may allow the remote attacker to:

Transfer files
Load/Unload dll files
Query/Modify system registry
Launch DOS attack on a specified target
Shutdown/Restart the compromised machine

Code suggests that the malware accepts the following list of commands:

RUNDLL
RESTART
RESPAWN
UNINSTALL
MULTICAST
RESOLVE
STATS
SETCOOKIE
DELCOOKIES
LISTCOOKIES
EXPORT
ADDTO
DELFROM
SETSTR
PERFRM
UNFREEZE
RMOLD
UNIFORG
SETWND
LSTWND
SHUTDOWN
DISKFLOOD
DISKUNFLOOD

Symptoms

Presence of files and registries as mentioned.
Unexpected network traffic.
More information on symptoms of Generic BackDoor is available here.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

N/A

All Information

Overview -

-- Update March 9, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://news.techworld.com/security/3214563/energizer-bunny-infects-pcs-with-backdoor-malware/

Characteristics

Characteristics -

--Updated on June 21st, 20110---

File Information

MD5 - 49DAA0B2857EA983593B73859E9CF80B
SHA - CABC772E29E30B7E3E53D2A9AAA0A7FAAA4D1BBA

Aliases

AVG - Generic22.CMYN
Symantec - Trojan.Gen
Ikarus - Trojan.Win32.Diple
Kaspersky - Trojan.Win32.Diple.py

When executed the Trojan drops the following files:

%Userprofile%\Start Menu\Programs\Startup\scandisk.lnk
%Userprofile%\Start Menu\Programs\Startup\scanndiskio92.dll
%Userprofile%\uload33.dll
%Systemdrive%\Documents and Settings\LocalService\uload33.dll
%Windir%\system32\uload33.dll
%Systemdrive%\scandisk.lnk
%Systemdrive%\scanndiskio92.dll

The following registry values have been added to the system.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
�NvCplDaemonTool� = "rundll32.exe C:\WINDOWS\system32\uload33.dll,_IWMPEvents"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\]
�NvCplDaemonTool� = "rundll32.exe C:\DOCUME~1\LOCALS~1\uload33.dll,_IWMPEvents"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\]
�NvCplDaemonTool� = "rundll32.exe C:\DOCUME~1\ADMINI~1\uload33.dll,_IWMPEvents"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\]
�NvCplDaemonTool� = "rundll32.exe C:\DOCUME~1\LOCALS~1\uload33.dll,_IWMPEvents"

The above entries confirm that the Trojan executes upon every system reboot.

--------------------------------------------------------------------------------

---- Updated on March 18th, 2010

File Information -

MD5 - 90B1621E5F91B6B01787F6C9FE548DF7
SHA - 94D7701B5D51B9FC4361C3F9118D404F1BDD0DA7

Aliases -

Kaspersky - Worm.Win32.AutoIt.xl
NOD32 - Win32/Tifaut.B
Ikarus - Worm.Win32.AutoIt
Microsoft - Worm:Win32/Renocide.gen!A

Characteristics �

When executed, the Trojan copies itself into the following location:

%Windir%\system32\csrcs.exe

And drops following files:

%Windir%\system32\autorun.inf
%Systemdrive%\khq

Also it drops an autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The autorun.inf is configured to launch the trojan file via the following command syntax.

;ceNSvxEzyuHeXrdqUmadoey

[AutoRun]

;IHZBiQniRDeueZYfynCLpGztYNlgEpEJHHcviQ

open=ecyuah.exe

;QaoqBzXlveKMuIHfsSr

shell\open\Command=ecyuah.exe

;tfqAexJLikKRVMrMmyaOZGwDpvqmXPZsHbHdXpwfiiRxXarivznudk

shell\open\Default=1

shell\explore\Command=ecyuah.exe

It then connects to the following websites to get the victim machine's IP address.

hxxp://www.whatismyip.com

The following registry key has been added to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

The following registry value has been added.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\]
"csrcs" = "%Windir%\system32\csrcs.exe"

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

The following registry values have been modified.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
"Shell" = "Explorer.exe csrcs.exe"

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.

[HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
"Hidden" = "0x00000002"

The above mentioned registry entries confirms that the Trojan prevents the compromised user to view the hidden files and folders in the system.

-----

--Updated February 11th, 2010 ------

File Information

MD5 - D99D448CCE93024EFB620E3C920AED0A
SHA - D2897D4E122DD8104DE1FE352BCEB6402C34DE4C

Aliases

Kaspersky - Trojan.Win32.Buzus.ckem
NOD32 - Win32/AutoRun.IRCBot.DI
Ikarus - Trojan.Win32.Buzus
Microsoft - Worm:Win32/Pushbot.OJ

Upon execution the trojan tries to the connect to the site java.kut[Removed]mily.com through a remote port 81.

When executed, the malware binary copies itself into the following location.

%Windir%\system32\drivers\BSLBT.exe
:[Removable Drive]\ recycler\s-51-9-25-3434476501-1644491933-601013339-1214\bslbt.exe

This trojan also attempts to create an autorun.inf file on the root any accessible disk volumes:

The following registry key has been added to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

The following registry value has been added.

Below mentioned registry ensures that, the malware binary registers itself with the compromised system and execute itself upon every boot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
�Microsoft Driver Setup� = "%System%\drivers\BSLBT.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
�Microsoft Driver Setup� = "%System%\drivers\BSLBT.exe"

This Trojan terminates the following security software in the compromised system.

VIPRE.EXE
ISSDM_EN_32.EXE
P08PROMO.EXE
K7TS_SETUP.EXE
AVINSTALL.EXE
WITSETUP.EXE
TrendMicro_TISPro_16.1_1063_x32.EXE
VBA32-PERSONAL-LATEST-ENGLISH.EXE
CCSETUP210.EXE
FSMB32.EXE
FSGK32.EXE
FSAV95.EXE
SPIDERUI.EXE
SPIDERNT.EXE
ALERTMAN.EXE
RAVMOND.EXE
MAKEREPORT.EXE
BOXMOD.EXE
360SAFE.EXE
360RPT.EXE
360HOTFIX.EXE
MKSPC.EXE
MKSFWALL.EXE
MKSVIRMONSVC.EXE
MKS_SCAN.EXE
MKS_MAIL.EXE
MKSREGMON.EXE
KAVPFW.EXE
KASMAIN.EXE
KAV32.EXE
ARCACHECK.EXE
ARCAVIR.EXE
AVMENU.EXE
A2HIJACKFREE.EXE
A2SERVICE.EXE
A2START.EXE
A2SCAN.EXE
NOD32M2.EXE
NOD32CC.EXE
NOD32.EXE
NMAIN.EXE
NOD32KUI.EXE
MSASCUI.EXE
MSMPENG.EXE
MCUPDATE.EXE
SVCPRS32.EXE
ITMRTSVC.EXE
CCPROVSP.EXE
MDMCLS32.EXE
CAGLOBALLIGHT.EXE
CAPFUPGRADE.EXE
AVGWDSVC.EXE
ASHWEBSV.EXE
ASHMAISV.EXE
ASWUPDSV.EXE
ASHSERV.EXE
ASHDISP.EXE
AVCENTER.EXE
SCHED.EXE
WIRESHARK.EXE
SPYBOTSD.EXE
TEATIMER.EXE
SPYBOTSD160.EXE
PROCESSMONITOR.EXE
PROCDUMP.EXE
PG2.EXE
LORDPE.EXE
ICESWORD.EXE
REANIMATOR.EXE

Also this Trojan tries to connects to the following sites:

java.BALDM[Removed]WER.NET
java.BALDM[Removed]OWER.ORG
java.BALDM[Removed]OWER.COM

-------------------------------------------------------------------------------

--Updated January 19th, 2010 ------

File Information

MD5 - 68127FF189D9F8C417DF84D9A035E5E9
SHA - 4618E4E1DB77DE3EA17074DBA106D3C8F35FFA60

Aliases

AVG - Generic20.BCXN
TrendMicro - BKDR_POSTBOT.ER
Symantec - Trojan.Gen.2
Microsoft - Trojan:Win32/Dynamer!dtc

Upon execution the Trojan tries to connect to the site mcupdate.na[Removed]rver.ns2.name through a remote port 443.

This is a component that is intended to be executed on the victim's machine. It may be received via email, file-sharing network, IRC channel etc, or it could be installed by a dropper file.

When connected to the above site, this Trojan sends below mentioned information to the attacker.

Host Name
IP Address

The following registry key has been added to the system.

HKEY_LOCAL_MACHINE\tmp123

The following registry key values have been added to the system.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\MACHINE\]
�tmp123� = �\Device\HarddiskVolume1\Documents and Settings\All Users\ntuser.dat�

A mutex is created to ensure only one instance of the worm is running at a time.

siueu2dowg

-------------------------------------------------------------------------------------------

--Updated December 23rd 2010 ------

There is a new version of this threat which started to show rootkit behavior once installed on the system. The files may change slightly from one infection to another.

This new version installs two services in an infected system:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDSUpDvr = "%SYSTEM32%\drivers\LDSUpDvr.sys"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DCOMCheck = "dcomcheck.exe"

these files are usually hidden form the operating system.

Once executed, the service will contact the following domain over HTTPS:

cnn.911223.com

The initial communication is sent with information about the infected computer as described below.

--Updated December 21st 2010 ------

File Information

MD5 - 19d85e165baaa5c03f7a7353ca98c9c4
SHA - 9085e30695784757ed90aa3bef3aa8af4f99703f

Aliases

Kaspersky - Backdoor.Win32.Poison.bxst
Symantec - Backdoor.Trojan
Ikarus - Backdoor.Win32.Poison
Microsoft - Backdoor:Win32/Poison.M

The Trojan tries to connect to the site �marmhao.ho[Removed]p.net�

This Trojan also opens a backdoor and allows the attacker to issue commands to control the compromised machines.

Its collects the information of the compromised system and sends to the attacker.

Computer name
And other information

--Updated December 8th 2010 ------

There is new variant of Generic BackDoor.u that connects to the following site
abcbb.911223.com

It�s observed that this malware spreads through a know java vulnerability CVE-2009-3867

--Updated December 1st 2010 ------

File Information �

MD5 : d1efd605c2c03d3b815a5cda0072a4c9
SHA1 : 9e5e0c23acfe11351f39e595a52a29044d59a0ee

Aliases -

Fortinet - HackerTool/ZXProxy
Kaspersky - not-a-virus:NetTool.Win32.ZXProxy.mh
Microsoft - Backdoor:Win32/Delf.B
Symantec - Infostealer

"Generic BackDoor.u" acts as a keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.) and sends to the attacker.

It connects to the following sites to perform malicious activity

[removed].china.com
[removed].3322.net
[removed].oray.net

This Trojan sends the following Windows system configuration details to the attacker through a remote server.

RegisteredOrganization
ProductId
RAM Size
CPU
ProcessorNameString
Number of Processors

Also the Trojan sends the following system information (computer name, processor information, OS version) to the attacker

Drive Information
Total Space
Free Space
Free Rate
Volume Information
Current Display Mode
System Directory
Host Name
Organization
RegisteredOwner
Owner

It opens a remote command shell which allows the server to execute commands by adding the following registry key

HKEY_LOCAL_MACHINE \SOFTWARE\Classes\HTTP\shell\open\command
USAGE: runas <PID>ExeFile
Example:
runas test.exe (run test.exe with the context of lsass.exe default.)
runas 724 test.exe (run test.exe with the context of specified pid.)
runas user password test.exe (run test.exe as user)
The Trojan creates the snapshots of the system and sends to the attacker.
It gathers contact details which is available in Address Book and dial to the listed contacts without user knowledge.
Also it will dial to remote systems for Password Recover tool to crack the windows 2k/xp/2003 versions.
It scans the remote ports using the following commands

TCP Port MultiScanner v1.0.
USAGE:
PortScan [-ip] <IP>[-p] <PORT>[-f] <OUTPUTFORMAT>[-timeout] sec [-thread] maxthread [-save] <FILENAME>
Example:
PortScan -ip 1.1.1.1-1.1.2.254 -p 80 -f "IP: %s:%d"
PortScan -ip 1.1.1.1-1.1.1.50,1.1.2.1-1.1.2.50 -p 21-23,3389
PortScan -ip 1.1.1.1,2.2.2.2 -p 1-65535 -save xx.txt -timeout 1 -thread 200

It Enumerate files by path, allowing the server to browse the contents of the file system.
It creates a mini proxy server in the name of ZXHttpProxy to communicate with remote system.
Also it enumerates terminal services sessions to show who is logged into the machine.

Upon execution, the following registry keys have been added to the system

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\zxplug
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security

The following registry values have been added

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security]
Security = [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters]
ServiceDll = "%WinDir%\System32\bakerinit.dll"
ServiceDllUnloadOnStop = 0x00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4]
Type = 0x00000120
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%WinDir%\System32\svchost.exe -k netsvcs"
DisplayName = "6to4"
ObjectName = "LocalSystem"

The above mentioned entries confirm that, the Trojan registers with the service name "6to4" in the system.

[Note: %WinDir � C:\Windows%]

-------------------

------------------Updated November 17th 2010 ------

Generic BackDoor.u is a generic detection name for Trojans that open a backdoor and allow the attacker to issue commands to control the compromised machines and may download malicious files.

File Information

MD5 - AE4CE941DB9DB863CBF4F6C416A70C63
SHA - 6F48DA825D1017D838914121AA500825F3ED8407

Aliases

AVG - BackDoor.Generic13.QSP
GData - Gen:Variant.Kazy.3089
Microsoft - Backdoor:Win32/Poison.M
Panda - Trj/CI.A

Upon execution the Trojan injects itself with IExplore.exe and connects to the IP address 201.57.[Removed].130 through a remote port 80.

When executed, the Trojan copies itself into the following location:

%Windir%\startmgr32.exe [Detected as Generic.dx!usf]

The following registry key has been added to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\259BFDF9-EACF-4F95-1F55-03209F01631D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WZCDLG
HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Visual Basic
HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Visual Basic\6.0

The following registry value has been added.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{259BFDF9-EACF-4F95-1F55-03209F01631D}\]
�StubPath� = �%Windir%\startmgr32.exe�

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
�Startup Manager� = �%Windir%\startmgr32.exe�

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

----------------------------------------------------------------------------------------------------------

Updated March 5th 2010

rundll32 %System%\Arucer.dll,Arucer

{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}
{F6C43E1A-1551-4000-A483-C361969AEC41}
{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}

During the time of testing though no malicious activity was observed, such a backdoor may allow attackers open access to machines

===============================================================================

There are several variants of this trojan. This description is for a specific sample.

It then registers the dll as a COM object by creating registry entries under

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{<DLL_CLSID>}\

(where <DLL_CLSID>is the CLSID that the trojan associates with the dropped dll which may be different each time the trojan executes. An example of <DLL_CLSID>is F3972BD9-2B47-3F3D-A42C-B2B13A2C187D.)

It also drops and loads another dll from the following location :

X:\Documents and Settings\%User%\Local Settings\Temp\{random_name}.dll

(Where X: is the system drive letter e.g. C:, and %User% is the current user ID, random_name means that the name of the dll may be different on different instances of execution of this trojan)

To activate itself on reboot, the trojan may add itself under the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

It then opens a backdoor and listens for commands. The port on which the backdoor is opened may be random. Some of the commands it can accept may allow the remote attacker to:

Transfer files
Load/Unload dll files
Query/Modify system registry
Launch DOS attack on a specified target
Shutdown/Restart the compromised machine

Code suggests that the malware accepts the following list of commands:

RUNDLL
RESTART
RESPAWN
UNINSTALL
MULTICAST
RESOLVE
STATS
SETCOOKIE
DELCOOKIES
LISTCOOKIES
EXPORT
ADDTO
DELFROM
SETSTR
PERFRM
UNFREEZE
RMOLD
UNIFORG
SETWND
LSTWND
SHUTDOWN
DISKFLOOD
DISKUNFLOOD

Symptoms

Symptoms -

Presence of files and registries as mentioned.
Unexpected network traffic.
More information on symptoms of Generic BackDoor is available here.

Method of Infection

Method of Infection -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

On Windows Vista and 7:

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Content