Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/Cakl.A.1
Date discovered:15/04/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:324.096 Bytes
MD5 checksum:9b203ebb193ae3a67d1874ed0062ad22
VDF version:6.34.00.187

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Backdoor.Win32.Cakl.a
   •  TrendMicro: BKDR_CAKL.D
   •  Bitdefender: Trojan.PWS.PdPinch.GA


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\vms32.exe



The following files are created:

%WINDIR%\hkr32.asm This is a non malicious text file with the following content:
   • %stolen information%

%SYSDIR%\ldapi32.exe Further investigation pointed out that this file is malware, too. Detected as: BDS/Cakl.A.1

%SYSDIR%\ntcvx32.dll
%SYSDIR%\ntswrl32.dll Further investigation pointed out that this file is malware, too. Detected as: BDS/Cakl.A.2

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "vms32"="%SYSDIR%\vms32.exe"



The following registry keys including all values and subkeys are removed:
   • [HKLM\SYSTEM\currentcontrolset\control\safeboot\minimal]
   • [HKLM\SYSTEM\currentcontrolset\control\safeboot\network]



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\vms32.exe"="%SYSDIR%\vms32.exe:*:Enabled:Dnode"



The following registry keys are added:

– [HKCU\Software]
   • "Denese"="verme.serveftp.**********"
   • "PortNo"="15963"
   • "Kurban"="MANE"
   • "Password"="vermes"

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\minimal.xxx]
– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\network.xxx]

 Backdoor Contact server:
The following:
   • verme.serveftp.**********:15963

As a result it may send information and remote control could be provided.

Sends information about:
    • Cached passwords
    • Computer name
    • CPU speed
    • CPU type
    • Created logfiles
    • Collected information described in stealing section
    • Information about the Windows operating system


Remote control capabilities:
    • Edit registry
    • Execute file

 Stealing It tries to steal the following information:
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– Passwords from the following programs:
   • ICQ
   • Mozilla Firefox
   • Outlook
   • Internet Explorer
   • Windows Messenger
   • MSN Messenger

– It captures:
    • Keystrokes
    • Window information

 Miscellaneous Mutex:
It creates the following Mutex:
   • TURKO3

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own files
– Its own process


Method used:
    • Hidden from Windows API

 File details Programming language:
The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Iulia Diaconescu on Wednesday, May 3, 2006
Description updated by Iulia Diaconescu on Wednesday, May 3, 2006

Back . . . .