Full description

Virus:	BDS/Bandok.R.2
Date discovered:	20/12/2005
Type:	Backdoor Server
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	20.480 Bytes
MD5 checksum:	4A69364DF3EA6AF14FCEAFA910C2502B
VDF version:	6.33.00.25

General Method of propagation:
   • No own spreading routine

Alias:
   • Kaspersky: Backdoor.Win32.Bandok.r

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Registry modification
   • Steals information
   • Third party control

Files It copies itself to the following location:
• %SYSDIR%\msnmsgr.exe

It deletes the following file:
• c:\ali.html

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   • "*none"="%SYSDIR%\msnmsgr.exe"

The following registry keys are added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion]
   • "bndkrt"="1648|msnmsgr.exe|none|1930|x|"

– [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {C6AB07ND-ADF3-4F02-0EE5-A156BTF-8AZ9}]
   • "StubPath"="%SYSDIR%\msnmsgr.exe"

Backdoor Contact server:
The following:
   • **********.servemp3.com

As a result it may send information and remote control could be provided.

Sends information about:
    • Cached passwords
    • Information about running processes

Remote control capabilities:
    • Delete file
    • Directory listing
    • Download file
    • Edit file
    • Execute file
    • Kill process
    • Perform port redirection
    • Start keylog
    • Upload file
    • Visit a website

Injection – It injects itself into a process.

    Process name:
   • iexplore.exe

   If successful, the malware process terminates while the injected part remains active.

Miscellaneous Mutex:
It creates the following Mutex:
• bandook13

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

Description inserted by Andrei Gherman on Tuesday, December 20, 2005
Description updated by Andrei Gherman on Tuesday, December 20, 2005

Back . . . .