Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:15/04/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:324.096 Bytes
MD5 checksum:9b203ebb193ae3a67d1874ed0062ad22
VDF version:

 General Method of propagation:
   • No own spreading routine

   •  Kaspersky: Backdoor.Win32.Cakl.a
   •  TrendMicro: BKDR_CAKL.D
   •  Bitdefender: Trojan.PWS.PdPinch.GA

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\vms32.exe

The following files are created:

%WINDIR%\hkr32.asm This is a non malicious text file with the following content:
   • %stolen information%

%SYSDIR%\ldapi32.exe Further investigation pointed out that this file is malware, too. Detected as: BDS/Cakl.A.1

%SYSDIR%\ntswrl32.dll Further investigation pointed out that this file is malware, too. Detected as: BDS/Cakl.A.2

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

   • "vms32"="%SYSDIR%\vms32.exe"

The following registry keys including all values and subkeys are removed:
   • [HKLM\SYSTEM\currentcontrolset\control\safeboot\minimal]
   • [HKLM\SYSTEM\currentcontrolset\control\safeboot\network]

It creates the following entry in order to bypass the Windows XP firewall:

   • "%SYSDIR%\vms32.exe"="%SYSDIR%\vms32.exe:*:Enabled:Dnode"

The following registry keys are added:

   • "Denese"="verme.serveftp.**********"
   • "PortNo"="15963"
   • "Kurban"="MANE"
   • "Password"="vermes"


 Backdoor Contact server:
The following:
   • verme.serveftp.**********:15963

As a result it may send information and remote control could be provided.

Sends information about:
     Cached passwords
    • Computer name
     CPU speed
    • CPU type
     Created logfiles
     Collected information described in stealing section
     Information about the Windows operating system

Remote control capabilities:
     Edit registry
     Execute file

 Stealing It tries to steal the following information:
 Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

Passwords from the following programs:
   • ICQ
   • Mozilla Firefox
   • Outlook
   • Internet Explorer
   • Windows Messenger
   • MSN Messenger

– It captures:
     Window information

 Miscellaneous Mutex:
It creates the following Mutex:
   • TURKO3

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.

Hides the following:
– Its own files
– Its own process

Method used:
     Hidden from Windows API

 File details Programming language:
The malware program was written in Delphi.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Iulia Diaconescu on Wednesday, May 3, 2006
Description updated by Iulia Diaconescu on Wednesday, May 3, 2006

Back . . . .