Virus:BDS/Bot.145845
Date discovered:10/11/2011
Type:Backdoor Server
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:73.728 Bytes
MD5 checksum:EE2DC1DC7CCA53CE57015D6564DA2243
VDF version:7.11.17.126 - Thursday, November 10, 2011
IVDF version:7.11.17.126 - Thursday, November 10, 2011

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Clicker.Win32.Agent.vjh
   •  Sophos: W32/Slenfbot-AG
   •  Bitdefender: Backdoor.Bot.145845
   •  Microsoft: Trojan:Win32/Dooxud.A
   •  Eset: Win32/Injector.KTS
   •  DrWeb: BackDoor.IRC.Bot.166


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

 Files It copies itself to the following location:
   • %HOME%\Application Data\%random character string%.exe



The following file is created:

%TEMPDIR%\google_cachepages2.tmp This is a non malicious text file with the following content:
   • website=1




It tries to download some files:

– The location is the following:
   • count.lo**********.com/xmyms.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe Furthermore this file gets executed after it was fully downloaded.

– The location is the following:
   • coun**********.com/xms0481.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe

– The location is the following:
   • count.lo**********.com/x200.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe

– The location is the following:
   • count.lo**********.com/x201.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe

– The location is the following:
   • count.lo**********.com/x202.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe

– The location is the following:
   • count.lo**********.com/x203.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe

– The location is the following:
   • count.ah**********.net/xmyms.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe

– The location is the following:
   • count.ah**********.net/xms0481.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe

– The location is the following:
   • count.ah**********.net/x200.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe

– The location is the following:
   • count.ah**********.net/x201.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe

– The location is the following:
   • count.ah**********.net/x202.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Offend.kdv.404824.6


– The location is the following:
   • count.ah**********.net/x203.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe

– The location is the following:
   • count.sy**********.us/xmyms.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe

– The location is the following:
   • count.sy**********.us/xms0481.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe

– The location is the following:
   • count.sy**********.us/x200.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe

– The location is the following:
   • count.sy**********.us/x201.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe

– The location is the following:
   • count.sy**********.us/x202.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe

– The location is the following:
   • count.sy**********.us/x203.exe
It is saved on the local hard drive under: %HOME%\Local Settings\Application Data\%seven-digit random character string%.exe

 Registry The following registry key is added:

– HKCU\SessionInformation
   • "24hrs"=dword:4ddba780



The following registry key is changed:

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   New value:
   • "userinit"= %SYSDIR%\userinit.exe,%malware execution directory%\%executed file%.exe -init
     "Taskman" = %HOME%\\Application Data\\%random character string%.exe -tman

 Backdoor The following port is opened:

– iexplore.exe on TCP port in order to provide backdoor capabilities.


Contact server:
The following:
   • check**********.net

As a result it may send information and remote control could be provided.

Sends information about:
    • Information about the Windows operating system


Remote control capabilities:
    • Download file
    • Execute file
    • Visit a website

 Injection – It injects itself as a remote thread into a process.

    Process name:
   • iexplorer.exe


 Miscellaneous Mutex:
It creates the following Mutex:
   • t2fyowming

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Ana Maria Niculescu on Tuesday, November 15, 2011
Description updated by Ana Maria Niculescu on Tuesday, November 15, 2011

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.