Virus:BDS/Small.CQ.1
Date discovered:20/04/2005
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:No
IVDF version:6.30.00.118 - Wednesday, April 20, 2005

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: W32.Gobi
   •  Mcafee: W32/Gobi!backdoor
   •  Kaspersky: Virus.Win32.Gobi.a
   •  Sophos: Troj/Gobi-A
   •  Bitdefender: Trojan.Keylogger.Gobi.A

This is a component of: W32/Gobi.A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control
Can be used by rogue users or malware to lower security settings.
Can be used to modify system settings that allow or augment potential malware behaviour.

 Files It copies itself to the following location:
   • %WINDIR%\Services.exe



The following files are created:

%WINDIR%\CKKILU101.log This file contains collected information about the system.
%WINDIR%\CKKILU101.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/Small.CQ.1

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "SCM"="%WINDIR%\Services.exe"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\CKKILU101]
– [HKLM\System\CurrentControlSet\Services\RemoteAccess]

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


From:
The sender address is spoofed.
The sender of the email is the following:
   • hack@report.com


To:
The recipient of the email is the following:
   • saddam.husein7@**********

 Backdoor The following port is opened:

%WINDIR%\Services.exe on TCP port 666 in order to provide backdoor capabilities.

Sends information about:
    • Computer name
    • Created logfiles
    • Current user
    • Free disk space
    • Free memory
    • IP address
    • Platform ID
    • Information about running processes
    • System directory
    • System time
    • Username
    • Users' local activity
    • visited URLs
    • Windows directory
    • Information about the Windows operating system


Remote control capabilities:
    • Abort connection
    • Change directory
    • Delete file
    • Directory listing
    • Download file
    • Execute file
    • Kill process
    • Move file
    • Restart system
    • Shut down system
    • Terminate process
    • Upload file

 Injection –  It injects the following file into a process: %WINDIR%\CKKILU101.dll

    Process name:
   • %executed file%


 Miscellaneous String:
Furthermore it contains the following string:
   • Tiny Sting v7.0

 File details Programming language:
 The malware program was written in Assembler.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Upx 0.84 - 2.02, 2.90

Description inserted by Daniel Constantin on Thursday, February 18, 2010
Description updated by Andrei Ivanes on Thursday, February 18, 2010

Back . . . .