Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/Androm.GX
Date discovered:27/08/2012
Type:Backdoor Server
In the wild:No
Reported Infections:High
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:88.064 Bytes
MD5 checksum:34F2EF9D9E779A7D71D1999107FC845C
VDF version:7.11.41.18 - Monday, August 27, 2012
IVDF version:7.11.41.18 - Monday, August 27, 2012

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Backdoor.Win32.Androm.gr
   •  Eset: Win32/Kryptik.AKXZ
   •  DrWeb: BackDoor.Andromeda.22


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

 Files It drops a copy of itself using a filename from a list:
– To: C:\Documents and Settings\All Users Using one of the following names:
   • svchost.exe

– To: %ALLUSERSPROFILE%\Local Settings\Temp Using one of the following names:
   • %random character string%.bat
   • %random character string%.pif
   • %random character string%.scr
   • %random character string%.com


 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "SunJavaUpdateSched"="%ALLUSERSPROFILE%\svchost.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.pif"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.bat"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.scr"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.com"

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Email design:
 


From: auto-confirm@amazon.com
Subject: Your Order with Amazon.com
Body:
   • Want to manage your order online?
     If you need to check the status of your order or make changes, please visit our home page at Amazon.com and click on Your Account at the top of any page.
     
     Order Grand Total: $86.76
     
     ***********************************************************************************
     PLEASE VIEW ATTACHED FILE FOR BILLING AND SHIPPING INFORMATION AND ORDER DETAILS
     ***********************************************************************************
     
     Get the Amazon.com Rewards Visa Card and earn 3% rewards on your Amazon.com orders. Click http://www.amazon.com/InstantRewards for more information.
     
     ***********************************************************
     Need to give a gift? Not sure what to buy?
     Amazon.com gift certificates/cards are available in any dollar amount from $5 to $5,000.
     We'll deliver it via e-mail--it's the perfect last-minute gift.
     Learn more at http://www.amazon.com/gift-certificates
     ***********************************************************
     Need to print an invoice?
     Visit www.amazon.com/your-account and click to view your orders. Click "View order" next to the appropriate order. You'll find a button to print an invoice on the next page
     ***********************************************************
     Got questions? We've got answers. Visit our online Help department, available 24 hours a day: http://www.amazon.com/help
     
     ***********************************************************
     Please note: This e-mail message was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.
     
     If you ever need to return an order, visit our Online Returns Center: www.amazon.com/returns
     
     Thanks again for shopping with us.
     -------------------------------------------------------------
     Amazon.com
     Earth's Biggest Selection
     http://www.amazon.com
     -------------------------------------------------------------
Attachment:
   • Amazon-Order-Details-REF9768012.zip

The attachment is an archive containing a copy of the malware itself.

 Backdoor The following port is opened:

– %ALLUSERSPROFILE%\svchost.exe on TCP port 8000 in order to provide a remote Shell.


Contact server:
The following:
   • http://stripe**********image.php

Once connected it will retrieve an additional list of servers.
As a result it may send information and remote control could be provided.

 Injection – It injects itself into a process.

    Process name:
   • %SYSDIR%\wuauclt.exe


Description inserted by Tudor Ciochina on Tuesday, August 28, 2012
Description updated by Tudor Ciochina on Wednesday, August 29, 2012

Back . . . .