McAfee > Theat Center > Virus Detail Page

Overview

Backdoor-DKA provides remote access capabilities to an attacker by opening a backdoor on the compromised machine. This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes.

Aliases

• Backdoor.Win32.Popwin.bda [Kaspersky Lab]

• Backdoor:Win32/Popwin.B [Microsoft]

• W32.Popwin [Symantec]

• Win-Trojan/Popwin.18476 [AhnLab]

Characteristics

This Backdoor attempts to place an Autorun.inf file in its root directory and if this drive shared across the network then other remote computers become victimized anytime while trying to access the shared folders or directories.

Files found in system are:
c:\auto.exe
c:\autorun.inf
%System%\3C7780C0.DLL - this dll is injected into all running processes

Reistry keys get added to the system:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_F188AD40
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_F188AD40\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_F188AD40\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F188AD40
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F188AD40\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F188AD40\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_F188AD40
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_F188AD40\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_F188AD40\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\F188AD40
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\F188AD40\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\F188AD40\Enum
• HKEY_USERS\.DEFAULT\SYSTEM
• HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet
• HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Services
• HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Services\F188AD40
• HKEY_CURRENT_USER\SYSTEM
• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet
• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services
• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\F188AD40

Newly Registry Values created

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT]
  ReportBootOk = 0x00000001

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_F188AD40\0000\Control]
 *NewlyCreated* = 0x00000000
 ActiveService = "F188AD40"

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_F188AD40\0000]
 Service = "F188AD40"
 Legacy = 0x00000001
 ConfigFlags = 0x00000000
 Class = "LegacyDriver"
 ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
 DeviceDesc = "F188AD40"

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_F188AD40]
 NextInstance = 0x00000001

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F188AD40\Enum]
 0 = "Root\LEGACY_F188AD40\0000"
 Count = 0x00000001
 NextInstance = 0x00000001

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F188AD40\Security]
 Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F188AD40]
 Type = 0x00000010
 Start = 0x00000002
 ErrorControl = 0x00000001
 ImagePath = "%System%\4E17C240.EXE -k"
 DisplayName = "F188AD40"
 ObjectName = "LocalSystem"
 Description = "3C7780C0"

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_F188AD40\0000\Control]
 *NewlyCreated* = 0x00000000
 ActiveService = "F188AD40"

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_F188AD40\0000]
 Service = "F188AD40"
 Legacy = 0x00000001
 ConfigFlags = 0x00000000
 Class = "LegacyDriver"
 ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
 DeviceDesc = "F188AD40"

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_F188AD40]
 NextInstance = 0x00000001

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\F188AD40\Enum]
 0 = "Root\LEGACY_F188AD40\0000"
 Count = 0x00000001
 NextInstance = 0x00000001

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\F188AD40\Security]
 Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\F188AD40]
 Type = 0x00000010
 Start = 0x00000002
 ErrorControl = 0x00000001
 ImagePath = "%System%\4E17C240.EXE -k"
 DisplayName = "F188AD40"
 ObjectName = "LocalSystem"
 Description = "3C7780C0"

Registry Values were modified:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting]
 DoReport = 
 ShowUI =

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
 CheckedValue =

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent

Symptoms

• Attemptsto establish connection with remote host: 203.xxx.xxx.232
• Outgoing HTTP traffic will be seen from the victim machine, to the following server:
hxxp://nx.xxxbb.cn/xxx//update.txt
• Existence of the files/Registry keys detailed above

Method of Infection

• Virus may propagate via network shares or removable drives

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

N/A

All Information

Overview -

Backdoor-DKA provides remote access capabilities to an attacker by opening a backdoor on the compromised machine. This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes.

Aliases

• Backdoor.Win32.Popwin.bda [Kaspersky Lab]

• Backdoor:Win32/Popwin.B [Microsoft]

• W32.Popwin [Symantec]

• Win-Trojan/Popwin.18476 [AhnLab]

Characteristics

Characteristics -

This Backdoor attempts to place an Autorun.inf file in its root directory and if this drive shared across the network then other remote computers become victimized anytime while trying to access the shared folders or directories.

Files found in system are:
c:\auto.exe
c:\autorun.inf
%System%\3C7780C0.DLL - this dll is injected into all running processes

Reistry keys get added to the system:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_F188AD40
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_F188AD40\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_F188AD40\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F188AD40
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F188AD40\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F188AD40\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_F188AD40
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_F188AD40\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_F188AD40\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\F188AD40
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\F188AD40\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\F188AD40\Enum
• HKEY_USERS\.DEFAULT\SYSTEM
• HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet
• HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Services
• HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Services\F188AD40
• HKEY_CURRENT_USER\SYSTEM
• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet
• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services
• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\F188AD40

Newly Registry Values created

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT]
  ReportBootOk = 0x00000001

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_F188AD40\0000\Control]
 *NewlyCreated* = 0x00000000
 ActiveService = "F188AD40"

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_F188AD40\0000]
 Service = "F188AD40"
 Legacy = 0x00000001
 ConfigFlags = 0x00000000
 Class = "LegacyDriver"
 ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
 DeviceDesc = "F188AD40"

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_F188AD40]
 NextInstance = 0x00000001

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F188AD40\Enum]
 0 = "Root\LEGACY_F188AD40\0000"
 Count = 0x00000001
 NextInstance = 0x00000001

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F188AD40\Security]
 Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F188AD40]
 Type = 0x00000010
 Start = 0x00000002
 ErrorControl = 0x00000001
 ImagePath = "%System%\4E17C240.EXE -k"
 DisplayName = "F188AD40"
 ObjectName = "LocalSystem"
 Description = "3C7780C0"

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_F188AD40\0000\Control]
 *NewlyCreated* = 0x00000000
 ActiveService = "F188AD40"

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_F188AD40\0000]
 Service = "F188AD40"
 Legacy = 0x00000001
 ConfigFlags = 0x00000000
 Class = "LegacyDriver"
 ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
 DeviceDesc = "F188AD40"

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_F188AD40]
 NextInstance = 0x00000001

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\F188AD40\Enum]
 0 = "Root\LEGACY_F188AD40\0000"
 Count = 0x00000001
 NextInstance = 0x00000001

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\F188AD40\Security]
 Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\F188AD40]
 Type = 0x00000010
 Start = 0x00000002
 ErrorControl = 0x00000001
 ImagePath = "%System%\4E17C240.EXE -k"
 DisplayName = "F188AD40"
 ObjectName = "LocalSystem"
 Description = "3C7780C0"

Registry Values were modified:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting]
 DoReport = 
 ShowUI =

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
 CheckedValue =

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent

Symptoms

Symptoms -

• Attemptsto establish connection with remote host: 203.xxx.xxx.232
• Outgoing HTTP traffic will be seen from the victim machine, to the following server:
hxxp://nx.xxxbb.cn/xxx//update.txt
• Existence of the files/Registry keys detailed above

Method of Infection

Method of Infection -

• Virus may propagate via network shares or removable drives

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

N/A