BDS/Nanspy.C - Backdoor Server

See also

Summary

Full description

Statistics

Virus:	BDS/Nanspy.C
Date discovered:	07/10/2005
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	216.128 Bytes
MD5 checksum:	9C3D95E9D5C6DB594174C48AF2E3CFC0
VDF version:	6.32.0.67

General Method of propagation:
   • No own spreading routine

Alias:
   • Kaspersky: Backdoor.Win32.Nanspy.c

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Blocks access to security websites
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

Files It copies itself to the following location:
   • %SYSDIR%\spools.exe

The following files are created:

– Temporary files that might be deleted afterwards:
   • %SYSDIR%\xffq.ssq
   • %SYSDIR%\ddq32.ssq
   • %SYSDIR%\ch1.ssq
   • %SYSDIR%\ch2.ssq
   • %SYSDIR%\ch3.ssq
   • %SYSDIR%\ch4.ssq
   • %SYSDIR%\xiecache.ssq

– %SYSDIR%\xbccd.log Contains a unique ID of the infected computer.
– %SYSDIR%\xffq.ssq This file contains collected keystrokes.
– %SYSDIR%\ddq32.ssq This file contains collected keystrokes.
– %SYSDIR%\ch1.ssq This file contains collected keystrokes.
– %SYSDIR%\ch2.ssq This file contains collected keystrokes.
– %SYSDIR%\ch3.ssq This file contains collected keystrokes.
– %SYSDIR%\ch4.ssq This file contains collected keystrokes.
– %SYSDIR%\xiecache.ssq This file contains collected keystrokes.

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Spools Service Controller"="%SYSDIR%\spools.exe"

The value of the following registry key is removed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• spools.exe

Hosts The host file is modified as explained:

– In this case already existing entries remain unmodified.

– Access to the following domains are redirected to other destinations:
   • d-ru-1f.kaspersky-labs.com
   • d-ru-1h.kaspersky-labs.com
   • d-ru-2f.kaspersky-labs.com
   • d-ru-2h.kaspersky-labs.com
   • d-eu-2f.kaspersky-labs.com
   • d-eu-2h.kaspersky-labs.com
   • d-eu-1f.kaspersky-labs.com
   • d-eu-1h.kaspersky-labs.com
   • d-us-1f.kaspersky-labs.com
   • d-us-1h.kaspersky-labs.com
   • downloads1.kaspersky.ru
   • downloads2.kaspersky.ru
   • downloads3.kaspersky.ru
   • downloads4.kaspersky.ru
   • downloads5.kaspersky.ru
   • www.kaspersky.ru
   • kaspersky.ru
   • kaspersky-labs.com
   • www.kaspersky-labs.com

The modified host file will look like this:

Backdoor The following ports are opened:

– %SYSDIR%\spools.exe on a random TCP port in order to provide an HTTP server.
– %SYSDIR%\spools.exe in order to provide a Socks 4 proxy server.

Contact server:
One of the following:
   • http://66.235.160.**********/slogdrx.php
   • http://66.235.160.**********/slogch1.php
   • http://66.235.160.**********/slogch2.php
   • http://66.235.160.**********/slogch3.php
   • http://66.235.160.**********/slogch4.php
   • http://66.235.160.**********/slogcx.php
   • http://66.235.160.**********/logwmgx.php

The following:
   • http://66.235.160.**********/wad/init2.txt

As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script.

Sends information about:
    • Computer name
    • Created logfiles
    • Current user
    • IP address
    • Information about running processes
    • Username
    • Information about the Windows operating system

Remote control capabilities:
    • Delete file
    • Download file
    • Execute file
    • Kill process
    • Perform DDoS attack
    • Restart system
    • Terminate process

Stealing It tries to steal the following information:

– A logging routine is started after one of the following websites are visited:
   • www.e-gold.com; www.wamu.com; www.bankone.com; www.bankofamerica.com;
      tcfbank.com; adelaidebank.com.au; anz.com.au; cu.net.au; boq.com.au;
      bankwest.com.au; bendigobank.com.au; commbank.com.au; hsbc.com.au;
      ibisworld.com.au; macquarie.com.au; national.com.au; suncorp.com.au;
      stgeorge.com.au; online.westpac.com.au; nationalbank.co.nz;
      rbnz.govt.nz; bnz.co.nz; asbbank.co.nz; westpac.co.nz; kiwibank.co.nz;
      macquarie.com; anz.com; nabgroup.com; bankombudsman.org.nz

– It captures:
    • Window information
    • Login information

File details Programming language:
The malware program was written in Delphi.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

See a brief description here.

Description inserted by Andrei Gherman on Mon, 10 Oct 2005 09:47 (GMT+1)
Description updated by Andrei Gherman on Thu, 13 Oct 2005 15:10 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back