Content
BackDoor-DPD
- Type
- Trojan
- SubType
- Remote Access
- Discovery Date
- 05/15/2008
- Length
- Varies
- Minimum DAT
- 5296 (05/15/2008)
- Updated DAT
- 6526 (11/10/2011)
- Minimum Engine
- 5.4.00
- Description Added
- 05/15/2008
- Description Modified
- 01/17/2011 11:16 PM (PT)
Tab Navigation
Characteristics
------Updated on January 18, 2011-------------
File Information
- MD5 - 74D6C6DA4E6F3643579566CEBA750B4A
- SHA - 3DE96A6FBFAFA8CFD1286A7CF6EF3979363019D5
Aliases
- Kaspersky - Trojan-Spy.Win32.Agent.bbsq
- NOD32 - a variant of Win32/Spy.Agent.NUM
- Ikarus - Trojan-Spy.Win32.Agent
- Microsoft - Backdoor:Win32/Comfoo.A
BackDoor-DPD can act in various ways to steal your data, private information, or resources.
The DLL is intended to spy the compromised user to steal password and also this malware binary monitors the compromised user’s browser activity.
This Trojan usually injects itself with running process like Explorer.exe and tries to connect to the site Buffe[Removed]money.biz through a remote port 80.
When executed, the Trojan drops the following files:
- %Temp%\mst7.tmp
- %Temp%\mst8.tmp
- %Temp%\mst9.tmp
- %Temp%\mstA.tmp
- %Temp%\mstB.tmp
- %Temp%\mstC.tmp
- %Temp%\mstD.tmp
- %Temp%\mstE.tmp
The following registry keys have been added to the system.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspk
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspk\Security
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspk\Enum
The following registry values have been added to the system.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspk\Type: 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspk\Start: 0x00000003
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspk\ErrorControl: 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspk\ImagePath: "\??\C:\Documents and Settings\Administrator\Desktop\OllyStuff\mspk.sys"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspk\DisplayName: "mspk"
The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.
This Trojan also injects itself with the running process and tries to connect to the following sites:
- Buffet[Removed]neyhome.biz
- Buffet[Removed]sAOL.com
This Trojan also tries to get the following information and sends to the attacker.
- 1. Windows Version Information!
- 2. CPU Type!
- 3. System Time!
- 4. Account Information!
- 5. Disk Information!
- 6. NET Information!
- 7. Protocol Information!
- 8. NETBIOS Information!
- 9. InstallApp Information!
- 10. IE Version Information!
- 11. IE BHO Information!
It also looks for below mentioned information of the compromised user and send that information to the attacker.
- Physical address
- Adapter Desc
- Secondary Wins Server
- Primary Wins Server
- DNS Servers
- Gateway
- IP Mask
- IP Address
- Network information
[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is %Temp%\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]
--------------------------------------------------------------------
BackDoor-DPD can act in various ways to steal your data, private information, or resources.
The DLL is intended to spy the compromised user to steal password and also this malware binary monitors the compromised user’s browser activity.
It registries itself with the compromised user system using Browser Helper Object which ensures, that the malware hooks with the iexplore.exe
The malware binary monitors the following information about the compromised user and send that information to the attacker, some of them are as follows:
- IE BHO Information
- Version Information
- Installed Application Information
- NET BIOS Information
- Protocol Information
- Disk Information
- Account Information
- System Time
- CPU Type
- Windows Version Information
It also looks for below mentioned information of the compromised user and send that information to the attacker.
- Physical address
- Adapter Desc
- Secondary Wins Server
- Primary Wins Server
- DNS Servers
- Gateway
- IP Mask
- IP Address
- Network information
When executed the malware binary connects to the following site:
- http://mail[removed].nifty-user.com
It also tries to connect to the following sites and sends the stolen information to the attacker.
- http://sr[removed]1.yahoo-user.com
- http://mai[removed].nifty-login.com
It also uses the following WinSock Function to get host name of the compromised system
- gethostname
- gethostbyname
The gethostname function retrieves the standard host name for the local computer and the gethostbyname function retrieves host information corresponding to a host name from a host database.
The following files have been added to the system:
- %USERPROFILE%\Local Settings\Temp\mst9.tmp
Symptoms
- Presence of above mentioned activities.
- Presence of above mentioned files.
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.
Removal
All Users:
Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
1. Please go to the Microsoft Recovery Console and restore a clean MBR.
On windows XP:
Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
Variants
Variants
N/A
All Information
Overview -
This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
File Information:
- MD5 - F901290613E8C8E8B87773E228DE4FE0
- SHA1 - 95AC67A8A1CCE146F492AA94861D1FB0AEBAF7FA
- File Size - 106496 bytes
Aliases:
- AVG - PSW.Agent.AEBE
- BitDefender - Trojan.Generic.2870588
- Kaspersky - Trojan-Spy.Win32.Agent.bbsq
- Symantec - Trojan Horse
Characteristics
Characteristics -
------Updated on January 18, 2011-------------
File Information
- MD5 - 74D6C6DA4E6F3643579566CEBA750B4A
- SHA - 3DE96A6FBFAFA8CFD1286A7CF6EF3979363019D5
Aliases
- Kaspersky - Trojan-Spy.Win32.Agent.bbsq
- NOD32 - a variant of Win32/Spy.Agent.NUM
- Ikarus - Trojan-Spy.Win32.Agent
- Microsoft - Backdoor:Win32/Comfoo.A
BackDoor-DPD can act in various ways to steal your data, private information, or resources.
The DLL is intended to spy the compromised user to steal password and also this malware binary monitors the compromised user’s browser activity.
This Trojan usually injects itself with running process like Explorer.exe and tries to connect to the site Buffe[Removed]money.biz through a remote port 80.
When executed, the Trojan drops the following files:
- %Temp%\mst7.tmp
- %Temp%\mst8.tmp
- %Temp%\mst9.tmp
- %Temp%\mstA.tmp
- %Temp%\mstB.tmp
- %Temp%\mstC.tmp
- %Temp%\mstD.tmp
- %Temp%\mstE.tmp
The following registry keys have been added to the system.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspk
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspk\Security
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspk\Enum
The following registry values have been added to the system.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspk\Type: 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspk\Start: 0x00000003
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspk\ErrorControl: 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspk\ImagePath: "\??\C:\Documents and Settings\Administrator\Desktop\OllyStuff\mspk.sys"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspk\DisplayName: "mspk"
The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.
This Trojan also injects itself with the running process and tries to connect to the following sites:
- Buffet[Removed]neyhome.biz
- Buffet[Removed]sAOL.com
This Trojan also tries to get the following information and sends to the attacker.
- 1. Windows Version Information!
- 2. CPU Type!
- 3. System Time!
- 4. Account Information!
- 5. Disk Information!
- 6. NET Information!
- 7. Protocol Information!
- 8. NETBIOS Information!
- 9. InstallApp Information!
- 10. IE Version Information!
- 11. IE BHO Information!
It also looks for below mentioned information of the compromised user and send that information to the attacker.
- Physical address
- Adapter Desc
- Secondary Wins Server
- Primary Wins Server
- DNS Servers
- Gateway
- IP Mask
- IP Address
- Network information
[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is %Temp%\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]
--------------------------------------------------------------------
BackDoor-DPD can act in various ways to steal your data, private information, or resources.
The DLL is intended to spy the compromised user to steal password and also this malware binary monitors the compromised user’s browser activity.
It registries itself with the compromised user system using Browser Helper Object which ensures, that the malware hooks with the iexplore.exe
The malware binary monitors the following information about the compromised user and send that information to the attacker, some of them are as follows:
- IE BHO Information
- Version Information
- Installed Application Information
- NET BIOS Information
- Protocol Information
- Disk Information
- Account Information
- System Time
- CPU Type
- Windows Version Information
It also looks for below mentioned information of the compromised user and send that information to the attacker.
- Physical address
- Adapter Desc
- Secondary Wins Server
- Primary Wins Server
- DNS Servers
- Gateway
- IP Mask
- IP Address
- Network information
When executed the malware binary connects to the following site:
- http://mail[removed].nifty-user.com
It also tries to connect to the following sites and sends the stolen information to the attacker.
- http://sr[removed]1.yahoo-user.com
- http://mai[removed].nifty-login.com
It also uses the following WinSock Function to get host name of the compromised system
- gethostname
- gethostbyname
The gethostname function retrieves the standard host name for the local computer and the gethostbyname function retrieves host information corresponding to a host name from a host database.
The following files have been added to the system:
- %USERPROFILE%\Local Settings\Temp\mst9.tmp
Symptoms
Symptoms -
- Presence of above mentioned activities.
- Presence of above mentioned files.
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.
Removal -
Removal -
All Users:
Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
1. Please go to the Microsoft Recovery Console and restore a clean MBR.
On windows XP:
Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
Variants
Variants -
N/A