BDS/Small.GY - Backdoor Server

See also

Summary

Full description

Statistics

Virus:	BDS/Small.GY
Date discovered:	24/08/2005
Type:	Backdoor Server
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	26.112 Bytes
MD5 checksum:	f18dbfa4da0d1134df47d05629154ccc
VDF version:	6.31.1.164

General Method of propagation:
   • No own spreading routine

Aliases:
   • Kaspersky: Backdoor.Win32.Small.gy
   • Bitdefender: Backdoor.Small.GY

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP

Side effects:
   • Blocks access to security websites
   • Disable security applications
   • Third party control

Files It copies itself to the following location:
• %WINDIR%\ixproxy.exe

It deletes the following file:
• %malware execution directory%\tmp.exe

The following file is created:

– %home%\application data\microsoft\crypto\rsa\%random character string%\%random character string%

Registry The following registry keys are added in order to run the processes after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "ixproxy"="<%windir%>\ixproxy.exe"

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "ixproxy"="<%windir%>\ixproxy.exe"

The following registry keys are added:

– HKEY_LOCAL_MACHINE
   • "PCT_LC_COL3"="%random character string%"

– HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List
   • "%malware execution directory%\%malware executable%"="%malware execution directoryr%\%malware executable%:*:Enabled:Windows Update"

Hosts The host file is modified as explained:

– In this case already existing entries remain unmodified.

– Access to the following domains is effectively blocked:
   • avp.ch; avp.com; avp.ru; ca.com; customer.symantec.com;
      dispatch.mcafee.com; download.mcafee.com;
      downloads1.kaspersky-labs.com; downloads2.kaspersky-labs.com;
      downloads3.kaspersky-labs.com; downloads4.kaspersky-labs.com;
      downloads-eu1.kaspersky-labs.com; downloads-us1.kaspersky-labs.com;
      downloads-us2.kaspersky-labs.com; downloads-us3.kaspersky-labs.com;
      downloads-us4.kaspersky-labs.com; f-secure.com; ftp.avp.ch;
      ftp.downloads1.kaspersky-labs.com; ftp.downloads2.kaspersky-labs.com;
      ftp.downloads3.kaspersky-labs.com; ftp.f-secure.com;
      ftp.kasperskylab.ru; ftp.sophos.com; ids.kaspersky-labs.com;
      kaspersky.com; kaspersky-labs.com; liveupdate.symantec.com;
      liveupdate.symantecliveupdate.com; mast.mcafee.com; mcafee.com;
      my-etrust.com; nai.com; networkassociates.com; rads.mcafee.com;
      secure.nai.com; securityresponse.symantec.com; service1.symantec.com;
      sophos.com; symantec.com; symantecliveupdate.com; symatec.com;
      trendmicro.com; update.symantec.com; updates.symantec.com;
      updates1.kaspersky-labs.com; updates2.kaspersky-labs.com;
      updates3.kaspersky-labs.com; updates4.kaspersky-labs.com;
      updates5.kaspersky-labs.com; us.mcafee.com; viruslist.com;
      viruslist.ru; www.avp.ch; www.avp.com; www.avp.ru; www.ca.com;
      www.f-secure.com; www.grisoft.com; www.kaspersky.com;
      www.kaspersky.ru; www.kaspersky-labs.com; www.mcafee.com;
      www.my-etrust.com; www.nai.com; www.networkassociates.com;
      www.sophos.com; www.symantec.com; www.trendmicro.com;
      www.viruslist.com; www.viruslist.ru

The modified host file will look like this:

Process termination List of processes that are terminated:
   • "zonealarm.exe"; "zonalm2601.exe"; "zlclient.exe"; "zatutor.exe";
      "zapsetup3001.exe"; "zapro.exe"; "xpf202en.exe";
      "wyvernworksfirewall.exe"; "wupdt.exe"; "wupdater.exe"; "wsbgate.exe";
      "wrctrl.ex e"; "wradmin.exe"; "wnad.exe"; "wkufind.exe";
      "winupdate.exe"; "winupd.exe"; "wintsk32.exe"; "winsys.exe";
      "winstart001.exe"; "winstart.exe"; "winssk32.exe"; "winservn.exe";
      "winrecon.exe"; "winppr32.exe"; "winnet.exe"; "winmain.exe";
      "winlogin.exe"; "wininitx.exe"; "wininit.exe"; "wininetd.exe";
      "windows.exe"; "window.exe"; "win-bugsfix.exe"; "winactive.exe";
      "win32us.exe"; "win32.exe"; "wimmun32.exe"; "whoswatchingme.exe";
      "wgfe95.exe"; "wfindv32.exe"; "webtrap.exe"; "webscanx.exe";
      "webdav.exe"; "watchdog.exe"; "w9x.exe"; "w32dsm89.exe";
      "vswinperse.exe"; "vswinntse.exe"; "vswin9xe.exe"; "vsstat.exe";
      "vsmon.exe"; "vsmain.exe"; "vsisetup.exe"; "vshwin32.exe";
      "vsecomr.exe"; "vsched.exe"; "vscenu6.02d30.exe"; "vscan40.exe";
      "vptray.exe"; "vpfw30s.exe"; "vpc42.exe"; "vpc32.exe"; "vnpc3000.exe";
      "vnlan300.exe"; "visnetic antivirus plug-in.exe";
      "virusmdpersonalfirewall.exe"; "vir-help.exe"; "vfsetup.exe";
      "vexiraantivirus.exe"; "vettray.exe"; "vet95.exe"; "vet32.exe";
      "vcsetup.exe"; "vbwinntw.exe"; "vbwin9x.exe"; "vbust.exe";
      "vbcons.exe"; "vbcmserv.exe"; "upgrader.exe"; "upgrad.exe";
      "update.exe"; "updat.exe"; "up2date.exe"; "undoboot.exe"; "tvtmd.exe";
      "tvmd.exe"; "tsadbot.exe"; "trojantrap3.exe"; "trjsetup.exe";
      "trjscan.exe"; "trickler.exe"; "tracert.exe"; "titaninxp.exe";
      "titanin.exe"; "tgbob.exe"; "tfak5.exe"; "tfak.exe"; "teekids.exe";
      "tds-3.exe"; "tds2-nt.exe"; "tds2-98.exe"; "tbscan.exe"; "taumon.exe";
      "taskmon.exe"; "taskmo.exe"; "taskmg.exe"; "sysupd.exe";
      "system32.exe"; "system.exe"; "sysmonxp.exe"; "sysinfo.exe";
      "sysedit.exe"; "symtray.exe"; "symproxysvc.exe"; "symantec core
      lc.exe"; "symantec antivirus client.exe"; "sweep95.exe";
      "svshost.exe"; "svchosts.exe"; "svchostc.exe"; "supporter5.exe";
      "support.exe"; "supftrl.exe"; "stcloader.exe"; "start.exe";
      "ssgrate.exe"; "ssg_4104.exe"; "ssate.exe"; "ss3edit.exe"; "srng.exe";
      "srexe.exe"; "spyxx.exe"; "spoolsv32.exe"; "spoolcv.exe";
      "spoler.exe"; "sphinx.exe"; "sperm.exe"; "sofi.exe"; "soap.exe";
      "smss32.exe"; "sms.exe"; "smc.exe"; "showbehind.exe"; "shn.exe";
      "shellspyinstall.exe"; "sgssfw32.exe"; "sfc.exe"; "setupvameeval.exe";
      "setup_flowprotector_us.exe"; "servlces.exe"; "servlce.exe";
      "service.exe"; "serv95.exe"; "scvhost.exe"; "scrsvr.exe";
      "scrscan.exe"; "scanpm.exe"; "scan95.exe"; "scan32.exe"; "scam32.exe";
      "sbserv.exe"; "savscan.exe"; "savenow.exe"; "save.exe";
      "sahagent.exe"; "safeweb.exe"; "ruxdll32.exe"; "rundll16.exe";
      "rundll.exe"; "run32dll.exe"; "rulaunch.exe"; "rtvscn95.exe";
      "rtvscan.exe"; "rshell.exe"; "rrguard.exe"; "rescue32.exe";
      "rescue.exe"; "reged.exe"; "realmon.exe"; "rcsync.exe"; "rb32.exe";
      "ray.exe"; "rav8win32eng.exe"; "rav7win.exe"; "rav7.exe"; "rate.exe";
      "rapapp.exe"; "qserver.exe"; "qconsole.exe"; "pview95.exe";
      "pussy.exe"; "purge.exe"; "pspf.exe"; "protectx.exe"; "proport.exe";
      "programauditor.exe"; "procexplorerv1.0.exe"; "processmonitor.exe";
      "procdump.exe"; "prmvr.exe"; "prmt.exe"; "prizesurfer.exe";
      "ppvstop.exe"; "pptbc.exe"; "ppinupdt.exe"; "powerscan.exe";
      "portmonitor.exe"; "portdetective.exe"; "popscan.exe"; "poproxy.exe";
      "pop3trap.exe"; "platin.exe"; "pingscan.exe"; "pgmonitr.exe";
      "pfwadmin.exe"; "pf2.exe"; "perswf.exe"; "persfw.exe";
      "periscope.exe"; "penis32.exe"; "penis.exe"; "pdsetup.exe";
      "pcscan.exe"; "pcip10117_0.exe"; "pcfwallicon.exe"; "pcdsetup.exe";
      "pccwin98.exe"; "pccwin97.exe"; "pccpfw.exe"; "pccntmon.exe";
      "pcciomon.exe"; "pcc2k_76_1436.exe"; "pcc2002s902.exe"; "pavw.exe";
      "pavsched.exe"; "pavproxy.exe"; "pavcl.exe"; "patch.exe";
      "panixk.exe"; "pandaavengine.exe"; "padmin.exe";
      "outpostproinstall.exe"; "outpostinstall.exe"; "outbreak manager.exe";
      "otfix.exe"; "ostronet.exe"; "optimize.exe"; "onsrvr.exe";
      "ollydbg.exe"; "nwtool16.exe"; "nwservice.exe"; "nwinst4.exe";
      "nvcscheduler.exe"; "nvcoas.exe"; "nvc95.exe"; "nvarch16.exe";
      "nupgrade.exe"; "nui.exe"; "ntxconfig.exe"; "ntrtscan.exe";
      "nsupdate.exe"; "nstask32.exe"; "nssys32.exe"; "nsched32.exe";
      "npssvc.exe"; "npscheck.exe"; "nprotectservice.exe"; "nprotect.exe";
      "npfmntor.exe"; "npfmessenger.exe"; "npf40_tw_98_nt_me_2k.exe";
      "notstart.exe"; "norton_internet_secu_3.0_407.exe"; "norton antivirus
      server.exe"; "normist.exe"; "nod32service.exe";
      "nod32controlcenter.exe"; "nod32.exe"; "nmain.exe"; "nisum.exe";
      "nisserv.exe"; "network associates log service.exe"; "netutils.exe";
      "netstat.exe"; "netspyhunter-1.2.exe"; "netscanpro.exe"; "netmon.exe";
      "netinfo.exe"; "netd32.exe"; "netarmor.exe"; "neowatchlog.exe";
      "neomonitor.exe"; "ndd32.exe"; "ncinst4.exe"; "nc2000.exe";
      "navwnt.exe"; "navw32.exe"; "navstub.exe"; "navnt.exe"; "navlu32.exe";
      "navengnavex15.navlu32.exe"; "navdx.exe"; "navapw32.exe";
      "navapsvc.exe"; "navap.navapsvc.exe"; "nav.exe"; "n32scanw.exe";
      "mwatch.exe"; "mu0311ad.exe"; "msvxd.exe"; "mssys.exe";
      "mssmmc32.exe"; "msmsgri32.exe"; "msmgt.exe"; "mslaugh.exe";
      "msinfo32.exe"; "msiexec16.exe"; "msdos.exe"; "msdm.exe";
      "mscvb32.exe"; "msconfig.exe"; "mscman.exe"; "msccn32.exe";
      "mscache.exe"; "msblast.exe"; "msbb.exe"; "msapp.exe"; "mrflux.exe";
      "mpftray.exe"; "mpfservice.exe"; "mpfagent.exe"; "mostat.exe";
      "moolive.exe"; "mmod.exe"; "minilog.exe"; "mgui.exe"; "mghtml.exe";
      "mgavrte.exe"; "mgavrtcl.exe"; "mfweng3.02d30.exe"; "mfw2en.exe";
      "mfin32.exe"; "mcvsshld.exe"; "mcvsrte.exe"; "mcupdmgr.exe";
      "mcupdate.exe"; "mctool.exe"; "mctaskmanager.exe"; "mcshield.exe";
      "mcmnhdlr.exe"; "mcagent.exe"; "mcafeeframework.exe"; "mcafee
      firewall.exe"; "mapisvc32.exe"; "luupdate.exe"; "luspt.exe";
      "luinit.exe"; "lucomserver.exe"; "luau.exe"; "luall.exe";
      "lsetup.exe"; "lordpe.exe"; "lookout.exe"; "lockdown2000.exe";
      "lockdown.exe"; "localnet.exe"; "loader.exe"; "lnetinfo.exe";
      "ldscan.exe"; "ldpromenu.exe"; "ldpro.exe"; "ldnetmon.exe";
      "launcher.exe"; "klav.exe"; "killprocesssetup161.exe"; "kernel32.exe";
      "kerio-wrp-421-en-win.exe"; "kerio-wrl-421-en-win.exe";
      "kerio-pf-213-en-win.exe"; "keenvalue.exe"; "kazza.exe"; "kavsvc.exe";
      "kavpf.exe"; "kavpers40eng.exe"; "kavmonitorservice.exe"; "kavmm.exe";
      "kavlite40eng.exe"; "kav.exe"; "jedi.exe"; "jdbgmrg.exe";
      "jammer.exe"; "istsvc.exe"; "isrv95.exe"; "isass.exe"; "isafe.exe";
      "irun4.exe"; "iris.exe"; "iparmor.exe"; "iomon98.exe"; "intren.exe";
      "intdel.exe"; "infwin.exe"; "infus.exe"; "inetlnfo.exe";
      "ifw2000.exe"; "iface.exe"; "iexplorer.exe"; "iedriver.exe";
      "iedll.exe"; "idle.exe"; "icsuppnt.exe"; "icsupp95.exe";
      "icssuppnt.exe"; "icmon.exe"; "icloadnt.exe"; "icload95.exe";
      "ibmavsp.exe"; "ibmasn.exe"; "iamstats.exe"; "iamserv.exe";
      "iamapp.exe"; "i11r54n4.exe"; "hxiul.exe"; "hxdl.exe"; "hwpe.exe";
      "htpatch.exe"; "htlog.exe"; "hotpatch.exe"; "hotactio.exe";
      "hijackthis.exe"; "hbsrv.exe"; "hbinst.exe"; "hacktracersetup.exe";
      "guarddog.exe"; "guard.exe"; "generics.exe"; "gbpoll.exe";
      "gbmenu.exe"; "gator.exe"; "f-stopw.exe"; "fsmb32.exe"; "fsma32.exe";
      "fsm32.exe"; "fsgk32.exe"; "f-secure gatekeeper handler starter.exe";
      "fsav95.exe"; "fsav530wtbyb.exe"; "fsav530stbyb.exe"; "fsav32.exe";
      "fsav.exe"; "fsaa.exe"; "frw.exe"; "fp-win_trial.exe"; "fp-win.exe";
      "f-prot95.exe"; "f-prot.exe"; "fprot.exe"; "fnrb32.exe";
      "flowprotector.exe"; "firewall.exe"; "findviru.exe"; "fih32.exe";
      "fch32.exe"; "fameh32.exe"; "f-agobot.exe"; "f-agnt95.exe";
      "expert.exe"; "exantivirus-cnet.exe"; "etrustcipe.exe";
      "ethereal.exe"; "espwatch.exe"; "escanv95.exe"; "escanhnt.exe";
      "escanh95.exe"; "esafe.exe"; "efpeadm.exe"; "ecengine.exe";
      "dvp95_0.exe"; "dvp95.exe"; "dssagent.exe"; "drwebupw.exe";
      "drweb32.exe"; "drwatson.exe"; "dpps2.exe"; "dpfsetup.exe"; "dpf.exe";
      "doors.exe"; "dllreg.exe"; "dllcache.exe"; "divx.exe"; "deputy.exe";
      "defwatch.exe"; "defscangui.exe"; "defalert.exe"; "dcomx.exe";
      "datemanager.exe"; "d3dupdate.exe"; "cwntdwmo.exe"; "cwnb181.exe";
      "cpfnt206.exe"; "cpf9x206.exe"; "cpd.exe"; "connectionmonitor.exe";
      "cmon016.exe"; "cmgrdian.exe"; "cmesys.exe"; "cmd32.exe"; "click.exe";
      "cleanpc.exe"; "cleaner3.exe"; "cleaner.exe"; "claw95cf.exe";
      "claw95.exe"; "cfinet32.exe"; "cfinet.exe"; "cfiaudit.exe";
      "cfiadmin.exe"; "cfgwiz.exe"; "ccpxysvc.exe"; "ccevtmgr.exe";
      "ccapp.exe"; "bundle.exe"; "bs120.exe"; "brasil.exe"; "bpc.exe";
      "borg2.exe"; "bootwarn.exe"; "bootconf.exe"; "blss.exe";
      "blackice.exe"; "blackd.exe"; "bisp.exe"; "bipcpevalsetup.exe";
      "bipcp.exe"; "bidserver.exe"; "bidef.exe"; "belt.exe"; "beagle.exe";
      "bd_professional.exe"; "bbeagle.exe"; "bargains.exe"; "backweb.exe";
      "avxquar.exe"; "avxmonitornt.exe"; "avxmonitor9x.exe"; "avxini.exe";
      "avwupsrv.exe"; "avwupd32.exe"; "avwupd.exe"; "avwinnt.exe";
      "avwin95.exe"; "avupdservice.exe"; "avsynmgr.exe"; "avsched32.exe";
      "avpupd.exe"; "avptc32.exe"; "avpm.exe"; "avpdos32.exe"; "avpcc.exe";
      "avp32.exe"; "avp.exe"; "avnt.exe"; "avltmain.exe"; "avkwctl9.exe";
      "avkservice.exe"; "avkserv.exe"; "avkpop.exe"; "avgw.exe";
      "avguard.exe"; "avgserv9.exe"; "avgserv.exe"; "avgnt.exe";
      "avgfsh.exe"; "avgemc.exe"; "avgctrl.exe"; "avgcore.exe";
      "avgcc32.exe"; "avgcc.exe"; "avg7updsvc.exe"; "avg7alrt.exe";
      "avexch32service.exe"; "ave32.exe"; "avconsol.exe"; "autoupdate.exe";
      "autotrace.exe"; "autodown.exe"; "aupdate.exe"; "atwatch.exe";
      "atupdater.exe"; "atguard.exe"; "apimonitor.exe"; "antivirus.exe";
      "anti-trojan.exe"; "alevir.exe"; "alertsvc.exe"; "alertmanger.exe";
      "agentw.exe"; "agentsvr.exe"; "adaware.exe"; "_avpm.exe";
      "_avpcc.exe"; "_avp32.exe"; "_personalen.exe"; "_personalru.exe"

Backdoor The following port is opened:

– %executed file% on a random TCP port in order to provide backdoor capabilities.

Contact server:
The following:
   • http://209.200.**********/phpdocs/new/addme.php?botid=%random character string%&port=%random character string%&smtp=

As a result it may send some information. This is done via the HTTP GET request on a PHP script.

Sends information about:
    • IP address
    • Opened port

See a brief description here.

Description inserted by Sergiu Oprea on Fri, 26 Aug 2005 09:35 (GMT+1)
Description updated by Sergiu Oprea on Tue, 30 Aug 2005 12:38 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back