Content

BackDoor-BAC!55436

Type
Trojan
SubType
Remote Access
Discovery Date
10/10/2006
Length
55,436 bytes
Minimum DAT
4870 (10/10/2006)
Updated DAT
4877 (10/19/2006)
Minimum Engine
5.1.00
Description Added
10/10/2006
Description Modified
11/08/2006 4:43 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update October 10, 2006 --

A recent spamming has been reported intended to download a variant of Backdoor-BAC. The spammed email message supposedly from Walmart is sent as follows:

From: info@walmart.com
Subject: Order Confirmation number: 37679041
Body:

Dear Customer,

Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop.

This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.

Date : 08 Oct 2006 - 12:40
Order ID : 37679041

Payment by Credit card

Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ).

PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader.
If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site. 

We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.

You will receive another email with tracking information soon.

We hope you enjoy your order!  Thank you for shopping with us!

 

Symptoms

Upon execution, it drops the following files:

%Windir%\%SysDir%\qo.dll           --> Detected as BackDoor-BAC.dll
%Windir%\%SysDir%\qo.sys          --> Detected as BackDoor-BAC.sys
%Windir%\%SysDir%\ycsvgd.sys   --> Detected as BackDoor-BAC.sys
%Windir%\%SysDir%\ydsvgd.sys   --> Detected as BackDoor-BAC.sys
%Windir%\%SysDir%\ydsvgd.dll    --> Detected as BackDoor-BAC.dll

Creates the following registry entries to auto start the trojan at windows logon.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ydsvgd

"DllName" = "ydsvgd.dll"
"Startup" = "XWD33Sifix"

Registers its rootkit component to start as a service.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service\Ycsvgd
"PTA Adapter" = "%Windir%\%SysDir%\ydsvgd.sys"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service\Ydsvgd
"PTA Adapter32" = "%Windir%\%SysDir%\ycsvgd.sys"

Creates the following registry entries to enable the trojan to start even in windows safe mode.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\ycsvgd.sys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\ycsvgd.sys

Open a backdoor on TCP port 16661 which allows a remote attacker unauthorized access.
Additionally its open two random TCP ports on an infected computer.

Rootkit component:

"ydsvgd.sys" is the rootkit component of this trojan and is responsible for hiding the presence of the trojan on an infected system. It hooks into the System Service Descriptor Table (SSDT) and alters the addresses corresponding to the NTXXX functions implemented in Ntoskrnl.exe

The following NTXXX functions are replaced with pointers to the rootkit code.

  • NtOpenThread
  • NtOpenProcess
  • NtCreateProcess
  • NtQueryDirectoryFile
  • NtQuerySystemInformation

When the rootkit is loaded, it hides files that contain any of the following strings:

  • gsvga.bin
  • lps.dat
  • mnsvgas.bin
  • qo.dll
  • qo.sys
  • shsvga.bin
  • shsvga.bin
  • t001f.exd
  • ttsvga.dat
  • wagfola4w.dat
  • ycsvgd.sys
  • ydsvgd.dll
  • ydsvgd.sys

"ydsvgd.dll" is the password stealing and notification component of this trojan.
Passwords for the following application are captured.

  • AutoComplete passwords in Internet Explorer
  • Password-protected sites in Internet Explorer
  • IM and Dialup connection passwords

It injects itself into explorer and logs all key strokes and active window titles into the following file:

%Windir%\%SysDir%\kps001.sys

Method of Infection

This trojan was mass spammed on October 10th, 2006.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update October 10, 2006 --

The risk assessment of this threat has been updated to Low-Profiled due to prevalance of the trojan being mass spammed.

--

Backdoor-BAC!55436 is a trojan that is delivered via a spammed fake email from Walmart. It opens a backdoor port on the compromised computer which allows a remote attacker unauthorized access and also post logged keystrokes and stolen passwords back to the attacker.

Aliases

  • Backdoor.Haxdoor.R (Symantec)
  • BKDR_HAXDOR.AU (Trend Micro)

Characteristics

Characteristics -

-- Update October 10, 2006 --

A recent spamming has been reported intended to download a variant of Backdoor-BAC. The spammed email message supposedly from Walmart is sent as follows:

From: info@walmart.com
Subject: Order Confirmation number: 37679041
Body:

Dear Customer,

Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop.

This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.

Date : 08 Oct 2006 - 12:40
Order ID : 37679041

Payment by Credit card

Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ).

PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader.
If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site. 

We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.

You will receive another email with tracking information soon.

We hope you enjoy your order!  Thank you for shopping with us!

 

Symptoms

Symptoms -

Upon execution, it drops the following files:

%Windir%\%SysDir%\qo.dll           --> Detected as BackDoor-BAC.dll
%Windir%\%SysDir%\qo.sys          --> Detected as BackDoor-BAC.sys
%Windir%\%SysDir%\ycsvgd.sys   --> Detected as BackDoor-BAC.sys
%Windir%\%SysDir%\ydsvgd.sys   --> Detected as BackDoor-BAC.sys
%Windir%\%SysDir%\ydsvgd.dll    --> Detected as BackDoor-BAC.dll

Creates the following registry entries to auto start the trojan at windows logon.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ydsvgd

"DllName" = "ydsvgd.dll"
"Startup" = "XWD33Sifix"

Registers its rootkit component to start as a service.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service\Ycsvgd
"PTA Adapter" = "%Windir%\%SysDir%\ydsvgd.sys"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service\Ydsvgd
"PTA Adapter32" = "%Windir%\%SysDir%\ycsvgd.sys"

Creates the following registry entries to enable the trojan to start even in windows safe mode.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\ycsvgd.sys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\ycsvgd.sys

Open a backdoor on TCP port 16661 which allows a remote attacker unauthorized access.
Additionally its open two random TCP ports on an infected computer.

Rootkit component:

"ydsvgd.sys" is the rootkit component of this trojan and is responsible for hiding the presence of the trojan on an infected system. It hooks into the System Service Descriptor Table (SSDT) and alters the addresses corresponding to the NTXXX functions implemented in Ntoskrnl.exe

The following NTXXX functions are replaced with pointers to the rootkit code.

  • NtOpenThread
  • NtOpenProcess
  • NtCreateProcess
  • NtQueryDirectoryFile
  • NtQuerySystemInformation

When the rootkit is loaded, it hides files that contain any of the following strings:

  • gsvga.bin
  • lps.dat
  • mnsvgas.bin
  • qo.dll
  • qo.sys
  • shsvga.bin
  • shsvga.bin
  • t001f.exd
  • ttsvga.dat
  • wagfola4w.dat
  • ycsvgd.sys
  • ydsvgd.dll
  • ydsvgd.sys

"ydsvgd.dll" is the password stealing and notification component of this trojan.
Passwords for the following application are captured.

  • AutoComplete passwords in Internet Explorer
  • Password-protected sites in Internet Explorer
  • IM and Dialup connection passwords

It injects itself into explorer and logs all key strokes and active window titles into the following file:

%Windir%\%SysDir%\kps001.sys

Method of Infection

Method of Infection -

This trojan was mass spammed on October 10th, 2006.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A