Virus:BDS/Glecia.D
Date discovered:20/10/2009
Type:Backdoor Server
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:61.440 Bytes
MD5 checksum:3b2064e0b51f242d1955cb402653201c
IVDF version:7.01.06.126 - Tuesday, October 20, 2009

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Packed.Win32.Krap.x
   •  F-Secure: Packed.Win32.Krap.x
   •  Eset: Win32/Kryptik.AWF


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification

 Files %SYSDIR%\sys.dat Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/Glecia.A

%SYSDIR%\bhdvgtueyitf.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/Glecia.A

– c:\%malware execution directory%\sys.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry The following registry keys are added:

– [HKCR\CLSID\{%CLSID%}]
   • "(Default)"="Microsoft Online Helper!"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{%CLSID%}]
   • "(Default)"="Microsoft Online Helper!"

– [HKCR\CLSID\{%CLSID%}\InProcServer32]
   • "(Default)"=hex(2):%hex values%
   • "ThreadingModel"="Apartment"



The following registry key is changed:

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   New value:
   • ^%\E$@@
   • n%^a&^()%b
   • (^$%l%(^%$e(^& ^%\
   • $%r$$^%o$
   • (%w@$%
   • $s%^^%$e%^(()(*& %
   • E*&^&x$(%%t%$
   • $@e^^%@(n
   • $%s))
   • %i*^o$%$^$^n(&*s(%^&="yes"

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Subject:
The following:
   • DHL service. Please get your parcel. Delivery NR.163400



Body:
The body of the email is one of the lines:
   • Hello!
   •
   • The courier company was not able to deliver your parcel by your address.
   • Cause: Error in shipping address.
   •
   • You may pickup the parcel at our post office personaly!
   •
   • Please note!
   • The shipping label is attached to this e-mail.
   • Please print this label to get this package at our post office.
   •
   •
   • Thank you for attention.
   • DHL Global Forwarding Services.


Attachment:
The filename of the attachment is:
   • DHL_package_label_6f1aa.zip

The attachment is an archive containing a copy of the malware itself.



The email looks like the following:


 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Tobias Gruber on Tuesday, October 20, 2009
Description updated by Philipp Wolf on Tuesday, October 20, 2009

Back . . . .