Virus:BDS/Ciadoor.BO
Date discovered:30/07/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium to high
Static file:Yes
File size:1.218.748 Bytes
MD5 checksum:655e5c9ea699d5ead17ad63529e09fe7
VDF version:6.35.1.21
IVDF version:6.35.1.21

 General Aliases:
   •  Kaspersky: Backdoor.Win32.Ciadoor.bo
   •  Bitdefender: Backdoor.Ciadoor.FA


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Disable security applications
   • Drops files
   • Drops a malicious file
   • Lowers security settings
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %SYSDIR%\tz2L7ah3Pa.ini
   • %SYSDIR%\Directx.exe



It deletes the initially executed copy of itself.



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %SYSDIR%\del32.bat

%SYSDIR%\drivers\oreans32.sys
%SYSDIR%\wsock32.sys Further investigation pointed out that this file is malware, too. Detected as: BDS/Ciadoor.13.B

%SYSDIR%\ckl009.dat This file contains collected keystrokes.

 Registry The following registry keys are added in order to run the processes after reboot:

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
   • "%SYSDIR%\DirectX.exe"="%SYSDIR%\directx.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Generic Host Process"="%SYSDIR%\directx.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   Run
   • "Generic Host Process"="%SYSDIR%\directx.exe"

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
   • "%SYSDIR%\DirectX.exe"="%SYSDIR%\directx.exe"
   •

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
   • "%SYSDIR%\DirectX.exe"="%SYSDIR%\directx.exe"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   • "shell"="Explorer.exe %SYSDIR%\DirectX.exe"

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
   • Generic Host Process"="%SYSDIR%\DirectX.exe"



The following registry keys are added in order to load the service after reboot:

– HKLM\Software\Microsoft\Windows\CurrentVersion\Runservices
   • "Generic Host Process"="%SYSDIR%\DirectX.exe"



The value of the following registry key is removed:

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{E14DCE67-8FB7-4721-8149-179BAA4D792C}


It registers a browser helper object (BHO) by adding the following key:

– HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{E14DCE67-8FB7-4721-8149-179BAA4D792C}


The following registry keys are added:

– HKCR\N.Cs4\Clsid
   • "(Default)"="{E14DCE67-8FB7-4721-8149-179BAA4D792C}"

– HKCR\N.Cs4
   • "(Default)"="N.Cs4"

– HKCR\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\VERSION
   • "(Default)"="3.0"

– HKCR\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\TypeLib]
   • "(Default)"="{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}"

– HKCR\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32
   • "ThreadingModel"="Apartment"
   • "(Default)"="%SYSDIR%\wsock32.sys"

– HKCR\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ProgID
   • "(Default)"="N.Cs4"

– HKCR\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}
   • "(Default)"="N.Cs4"

– HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib
   • "Version"="3.0"
   • "(Default)"="{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}"

– HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\
   ProxyStubClsid32
   • "(Default)"="{00020424-0000-0000-C000-000000000046}"

– HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\
   ProxyStubClsid
   • "(Default)"="{00020424-0000-0000-C000-000000000046}"

– HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}
   • "(Default)"="Cs4"

– HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR
   • "(Default)"="%SYSDIR%"

– HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32
   • "(Default)"="%SYSDIR%\wsock32.sys"

– HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS
   • "(Default)"="0"

– HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0
   • "(Default)"="N"

– HKCU\Software\VB and VBA Program Settings\set\set
   • "set"="tz2L7ah3Pa.ini"

– HKLM\SYSTEM\ControlSet003\Services\Messenger
   • "Start"=dword:00000000

– HKLM\SYSTEM\ControlSet003\Services\ATS
   • "Start"=dword:00000000

– HKCU\Software\Policies\Microsoft\Windows\System
   • "DisableCMD"=dword:00000001

– HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
   • "Disabled"=dword:00000000

– HKCR\..DlI
   • "(Default)"="exefile"

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
   • "run"="%SYSDIR%\DirectX.exe"

– HKLM\SYSTEM\ControlSet001\Services\SENS
   New value:
   • "Start"=dword:00000000

– HKLM\SYSTEM\ControlSet002\Services\SENS
   New value:
   • "Start"=dword:00000000

– HKLM\SYSTEM\ControlSet003\Services\SENS
   New value:
   • "Start"=dword:00000000

– HKLM\SYSTEM\ControlSet001\Services\Nla
   New value:
   • "Start"=dword:00000000

– HKLM\SYSTEM\ControlSet002\Services\Nla
   New value:
   • "Start"=dword:0000000

– HKLM\SYSTEM\ControlSet003\Services\Nla
   New value:
   • "Start"=dword:00000000

– HKLM\SYSTEM\ControlSet001\Services\Messenger
   New value:
   • "Start"=dword:0000000

– HKLM\SYSTEM\ControlSet002\Services\Messenger
   New value:
   • "Start"=dword:00000000

– HKLM\SYSTEM\ControlSet001\Services\ATS
   New value:
   • "Start"=dword:00000000

– HKLM\SYSTEM\ControlSet002\Services\ATS
   New value:
   • "Start"=dword:00000000

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
   Old value:
   • "load"=""
   New value:
   • "load"="%SYSDIR%\DirectX.exe"

 Network Infection Exploit:
It makes use of the following Exploits:
– MS04-007 (ASN.1 Vulnerability)
– MS05-039 (Vulnerability in Plug and Play)

 Backdoor Contact server:
The following:
   • doener.no-ip.**********:314

As a result it may send information and remote control could be provided.

Sends information about:
    • Capture screen
    • Capture shot from webcam
    • Current user
    • Information about running processes
    • Information about the Windows operating system


Remote control capabilities:
    • Change directory
    • Copy file
    • Delete file
    • Directory listing
    • Display a message
    • Download file
    • Execute file
    • Kill process
    • Move file
    • Restart system
    • Send emails
    • Shut down system
    • Upload file

 Stealing It tries to steal the following information:

– It captures:
    • Keystrokes
    • Window information

 Injection –  It injects the following file into a process: %SYSDIR%\wsock32.sys


– It injects itself as a remote thread into a process.

    Process name:
   • %PROGRAM FILES%\Internet Explorer\IEXPLORER.exe

   If successful, the malware process terminates while the injected part remains active.

 Miscellaneous Anti debugging
If it was successful it displays the following and terminates immediately:


 Rootkit Technology Hides the following:
– Its own registry keys

 File details Programming language:
 The malware program was written in Visual Basic.

Description inserted by Bogdan Iliuta on Monday, July 31, 2006
Description updated by Bogdan Iliuta on Friday, August 4, 2006

Back . . . .