Content

BackDoor-DKI

Type
Trojan
SubType
Remote Access
Discovery Date
12/13/2006
Length
varies
Minimum DAT
4918 (12/13/2006)
Updated DAT
6546 (11/30/2011)
Minimum Engine
5.1.00
Description Added
12/13/2006
Description Modified
02/10/2011 5:18 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update: Feb 10, 2011 ---

File Information -

    • MD5 - ed6d671389632db0d9a2790d07dd7725
    • SHA1 - 1fc04367e93b03be39dafb37eafaed5659019c46

Aliases -

    • Kaspersky - Backdoor.Win32.Inject.guf
    • Microsoft - Backdoor:Win32/Poisonivy.E
    • Symantec - Backdoor.Darkmoon
    • AVG - BackDoor.Generic13.

"BackDoor-DKI" trojan provides remote access capabilities to an attacker by opening a backdoor on the compromised machine. This trojan spawns an iexplore.exe process which is responsible for opening the backdoor.

Upon execution, the Trojan copies itself into the following location.

    • %WinDir%\system32\msxmlconfer.exe

The Trojan attempts to hide by injecting itself into the "iexplorer.exe" process and connects to the site "microcn[removed].8800.org" in order to receive commands. These commands may include downloading and executing arbitrary files.

And it records keystrokes and stores them into the below mentioned file.

    • %WinDir%\system32\msxmlconfer

After execution, the original Trojan deletes itself.

The following registry keys have been added to the system
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5AE6AEF5-E067-B2F3-0489-98435CA721B7}
    • HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications
    • HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\bricks
    • HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\bricks\Settings

The following registry value has been added

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5AE6AEF5-E067-B2F3-0489-98435CA721B7}
      StubPath = "%Windir%\system32\msxmlconfer.exe"

The above registry entry confirms that, the Trojan executes every time when windows starts.

It creates a mutex with the name "KDKEK#&^%"

Note: [%WinDir% - C:\WINDOWS ]

-----------------

-- Update: November 28, 2009 ---

Upon execution, the trojan drops itself the following file.

  • %Windir%\System32\winupdno.exe

It also adds the following registry key.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E82D779F-B791-8149-8DB2-0401C204BD77}
     "StubPath"  = %Windir%\System32\winupdno.exe        

     
The trojan connects the following site.

  • explorecheck.no-ip.biz
  • lightspeed.aalntx.sbcglobal.net

The trojan logs keystrokes on the infected machine and stores it in a file %windir%\system32\winupdno

Recent variants are VM-Aware.

-----------------------------------------------------

-- Update: April 6, 2007 ---

Upon execution, the trojan drops itself the following file.

  • %Windir%\System32\com.exe

It also adds the following registry key.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{04F4BA85-A3C7-4235-0200-060204060705}
     "StubPath"  = %Windir%\System32\com.exe             

The trojan connects the following site.

  • nimabi.servebeer.com

-----------------------------------------------------

BackDoor-DKI trojan provides remote access capabilities to an attacker by opening a backdoor on the compromised machine. This trojan spawns an iexplore.exe process which is responsible for opening the backdoor.

On execution variants of this trojan create a copy of themselves in %SystemDir% with names such as:

    • scvchost.exe
    • ServPro.exe
    • winhelp.ex

To activate on every reboot, trojan variants register themselves under the following registry entry:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

It creates a mutex with the name ")!VoqA.I4"

The trojan logs keystrokes on the infected machine and stores it in a file. Though the file name and location may vary between different variants, some of the variants are known to store it as %systemdir%\scvchost

It also writes into the memory of explorer.exe process which causes it to spawn iexplore.exe process which opens up a backdoor to accept commands and send the stolen information. It may try to connect to one of the following

    • waigua88812.3322.org
    • lovequintet.com
    • just4try.no-ip.org

 

Symptoms

----- Updated on Feb-10-2011 ------

Also the Trojan connects to the site "microcn[removed].8800.org" and awaits further commands that allow a remote attacker to perform some of following actions:

    • Log keystrokes typed
    • Steals System Information
    • Steal network Information
    • Also it downloads the additional malwares

-------

    • existence of mentioned file(s) and registry key(s)
    • connections to the mentioned remote hosts

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

 

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

    N/A

All Information

Overview -

-- Update: April 6, 2007 ---

The most recent variant is downloaded by BacDoor-DKI.dldr trojan which is embedded in a crafted JustSystem Ichitaro document with a zero-day vulnerability (Exploit-TaroDrop trojan).

BackDoor-DKI trojan provides remote access capabilities to an attacker by opening a backdoor on the compromised machine. This trojan spawns an iexplore.exe process which is responsible for opening the backdoor.

Characteristics

Characteristics -

-- Update: Feb 10, 2011 ---

File Information -

    • MD5 - ed6d671389632db0d9a2790d07dd7725
    • SHA1 - 1fc04367e93b03be39dafb37eafaed5659019c46

Aliases -

    • Kaspersky - Backdoor.Win32.Inject.guf
    • Microsoft - Backdoor:Win32/Poisonivy.E
    • Symantec - Backdoor.Darkmoon
    • AVG - BackDoor.Generic13.

"BackDoor-DKI" trojan provides remote access capabilities to an attacker by opening a backdoor on the compromised machine. This trojan spawns an iexplore.exe process which is responsible for opening the backdoor.

Upon execution, the Trojan copies itself into the following location.

    • %WinDir%\system32\msxmlconfer.exe

The Trojan attempts to hide by injecting itself into the "iexplorer.exe" process and connects to the site "microcn[removed].8800.org" in order to receive commands. These commands may include downloading and executing arbitrary files.

And it records keystrokes and stores them into the below mentioned file.

    • %WinDir%\system32\msxmlconfer

After execution, the original Trojan deletes itself.

The following registry keys have been added to the system
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5AE6AEF5-E067-B2F3-0489-98435CA721B7}
    • HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications
    • HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\bricks
    • HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\bricks\Settings

The following registry value has been added

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5AE6AEF5-E067-B2F3-0489-98435CA721B7}
      StubPath = "%Windir%\system32\msxmlconfer.exe"

The above registry entry confirms that, the Trojan executes every time when windows starts.

It creates a mutex with the name "KDKEK#&^%"

Note: [%WinDir% - C:\WINDOWS ]

-----------------

-- Update: November 28, 2009 ---

Upon execution, the trojan drops itself the following file.

  • %Windir%\System32\winupdno.exe

It also adds the following registry key.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E82D779F-B791-8149-8DB2-0401C204BD77}
     "StubPath"  = %Windir%\System32\winupdno.exe        

     
The trojan connects the following site.

  • explorecheck.no-ip.biz
  • lightspeed.aalntx.sbcglobal.net

The trojan logs keystrokes on the infected machine and stores it in a file %windir%\system32\winupdno

Recent variants are VM-Aware.

-----------------------------------------------------

-- Update: April 6, 2007 ---

Upon execution, the trojan drops itself the following file.

  • %Windir%\System32\com.exe

It also adds the following registry key.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{04F4BA85-A3C7-4235-0200-060204060705}
     "StubPath"  = %Windir%\System32\com.exe             

The trojan connects the following site.

  • nimabi.servebeer.com

-----------------------------------------------------

BackDoor-DKI trojan provides remote access capabilities to an attacker by opening a backdoor on the compromised machine. This trojan spawns an iexplore.exe process which is responsible for opening the backdoor.

On execution variants of this trojan create a copy of themselves in %SystemDir% with names such as:

    • scvchost.exe
    • ServPro.exe
    • winhelp.ex

To activate on every reboot, trojan variants register themselves under the following registry entry:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

It creates a mutex with the name ")!VoqA.I4"

The trojan logs keystrokes on the infected machine and stores it in a file. Though the file name and location may vary between different variants, some of the variants are known to store it as %systemdir%\scvchost

It also writes into the memory of explorer.exe process which causes it to spawn iexplore.exe process which opens up a backdoor to accept commands and send the stolen information. It may try to connect to one of the following

    • waigua88812.3322.org
    • lovequintet.com
    • just4try.no-ip.org

 

Symptoms

Symptoms -

----- Updated on Feb-10-2011 ------

Also the Trojan connects to the site "microcn[removed].8800.org" and awaits further commands that allow a remote attacker to perform some of following actions:

    • Log keystrokes typed
    • Steals System Information
    • Steal network Information
    • Also it downloads the additional malwares

-------

    • existence of mentioned file(s) and registry key(s)
    • connections to the mentioned remote hosts

Method of Infection

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

 

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

    N/A