Virus:BDS/Haxdoor.AF
Date discovered:20/02/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:23.877 Bytes
MD5 checksum:34feef2ba829a1843afa45464c0Efa0D
VDF version:6.33.01.11

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Spy.Win32.Goldun.hp
   •  TrendMicro: TSPY_GOLDUN.CI
   •  Sophos: Troj/Goldun-BX
   •  VirusBuster: trojan TrojanSpy.Goldun.CV
   •  Bitdefender: Trojan.PWS.Goldspy.F


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a file
   • Drops malicious files
   • Registry modification
   • Steals information

 Files The following files are created:

– Non malicious file:
   • %SYSDIR%\tick48.bin

%SYSDIR%\directut.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.gh.2

%SYSDIR%\directout.sys Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Goldun.HP

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   directut]
   • "nk48id" = "[NG%random character string%]"
   • "MaxWait" = dword:00000001
   • "Asynchronous" = dword:00000001
   • "Impersonate" = dword:00000001
   • "Startup" = "directut"
   • "DllName" = "directut.dll"



The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\directout]
   • "Type"=dword:00000001
   • "Start"=dword:00000001
   • "ErrorControl"=dword:00000000
   • "ImagePath"=\??\%SYSDIR%\directout.sys
   • "DisplayName"="Printer direct access"

– [HKLM\SYSTEM\CurrentControlSet\Services\directout\Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\directout\Enum]
   • "0"="Root\\LEGACY_DIRECTOUT\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIRECTOUT]
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIRECTOUT\0000]
   • "Service"="directout"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Printer direct access"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIRECTOUT\0000\
   Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="directout"



It creates the following entries in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%WINDIR%\Explorer.EXE"="%WINDIR%\Explorer.EXE:*:Enabled:explorer"
   • "\\??\\%SYSDIR%\winlogon.exe"="\\??\\%SYSDIR%\winlogon.exe:*:Enabled:explorer"

 Backdoor The following port is opened:

– winlogon.exe on a random TCP port


Contact server:
The following:
   • www.skyinet.info/r4/**********

As a result it may send some information. This is done via the HTTP GET and POST method using a PHP script.


Sends information about:
    • IP address
    • Opened port
    • Collected information described in stealing section
    • Information about the Windows operating system

 Stealing It tries to steal the following information:

– A logging routine is started after a website is visited:
   • %any HTTPS website that contains a login form%

– It captures:
    • Login information

 Injection –  It injects the following file into a process: directut.dll

    All of the following processes:
   • winlogon.exe
   • explorer.exe
   • %all processes started after malware is active in memory%


 Miscellaneous Time synchronisation:
In order to synchronize the local time it contacts NTP server on port 123:
   • time.windows.com

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own files
– Its own process


Method used:
    • Hidden from Windows API

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG 2.0

Description inserted by Daniel Constantin on Wednesday, February 22, 2006
Description updated by Daniel Constantin on Monday, March 6, 2006

Back . . . .