BDS/Virkel.A - Backdoor Server

See also

Summary

Full description

Statistics

Virus:	BDS/Virkel.A
Date discovered:	28/10/2005
Type:	Backdoor Server
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low to medium
Damage Potential:	Medium
Static file:	Yes
File size:	104.960 Bytes
MD5 checksum:	87768eb9f0beaaac91be85d82e010B95
VDF version:	6.32.00.117 - Wed, 26 Oct 2005 12:12 (GMT+1)

General Method of propagation:
   • Messenger

Aliases:
   • Symantec: W32.Chod.D
   • Kaspersky: Backdoor.Win32.Virkel.a
   • Bitdefender: Backdoor.Chodebot.A

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Blocks access to security websites
   • Disable security applications
   • Drops a malicious file
   • Lowers security settings
   • Registry modification
   • Steals information
   • Third party control

Files It copies itself to the following location:
• %SYSDIR%\%random character string%\csrss.exe

It deletes the initially executed copy of itself.

The following files are created:

– %SYSDIR%\%random character string%\smss.exe Furthermore it gets executed after it was fully created. This file serves as flag for an internal routine.
– %SYSDIR%\%random character string%\csrss.ini Contains parameters used by the malware.
– %SYSDIR%\netstat.com This file serves as flag for an internal routine.

Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "csrss"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "csrss"=""

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   • "load"="%SYSDIR%\%random character string%\csrss.exe"
   • "run=%SYSDIR%\%random character string%\csrss.exe"

The following registry keys including all values and subkeys are removed:
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CleanUp]
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCAgentExe]
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe]
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VirusScan Online]
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask]
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccApp]
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCAgentExe]
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe]
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor]
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmcService]
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Outpost Firewall]
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gcasServ]
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pccguide.exe]

The following registry keys are added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   • "Hidden"=dword:00000002
   • "SuperHidden"=dword:00000000
   • "ShowSuperHidden"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "DisableRegistryTools"="1"
   • "NoAdminPage"="1"

Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger
– MSN Messenger

IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: bak.**********.net
Port: 37737
Channel: #.upd
Nickname: %10 digit random character string%

Server: pjn.**********.net
Port: 37737
Channel: #.upd
Nickname: %10 digit random character string%

– This malware has the ability to collect and send information such as:
    • Capture screen
    • CPU speed
    • Current user
    • Details about drivers
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Platform ID
    • Information about running processes
    • Size of memory
    • Windows directory
    • Information about the Windows operating system

– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS ICMP flood
    • Launch DDoS TCP flood
    • Launch DDoS UDP flood
    • disconnect from IRC server
    • Download file
    • Edit registry
    • Execute file
    • Join IRC channel
    • Kill process
    • Leave IRC channel
    • Open remote shell
    • Register a service
    • Terminate process
    • Updates itself
    • Upload file

Hosts The host file is modified as explained:

– In this case already existing entries remain unmodified.

– Access to the following domains is effectively blocked:
   • avp.com; www.avp.com; ca.com; dispatch.mcafee.com;
      download.mcafee.com; f-secure.com; fastclick.net; ftp.f-secure.com;
      ftp.sophos.com; liveupdate.symantec.com; customer.symantec.com;
      pccguide.exe rads.mcafee.com; mast.mcafee.com; mcafee.com;
      my-etrust.com; nai.com; networkassociates.com; secure.nai.com;
      securityresponse.symantec.com; service1.symantec.com; sophos.com;
      support.microsoft.com; symantec.com; update.symantec.com;
      updates.symantec.com; us.mcafee.com; vil.nai.com; viruslist.com;
      www.viruslist.com; www.awaps.net; www.ca.com; www.f-secure.com;
      www.fastclick.net; www.mcafee.com; www.microsoft.com;
      www.my-etrust.com; www.nai.com; www.networkassociates.com;
      www.sophos.com; www.symantec.com; www3.ca.com; www.grisoft.com;
      grisoft.com; housecall.trendmicro.com; trendmicro.com;
      www.trendmicro.com; www.pandasoftware.com; pandasoftware.com;
      kaspersky.com; www.kaspersky.com; www.zonelabs.com; zonelabs.com;
      www.spywareinfo.com; spywareinfo.com; www.merijn.org; merijn.org

The modified host file will look like this:

Process termination List of processes that are terminated:
   • mpftray.exe; microsoft antispyware*; hijackthis*; msconfig.exe;
      kav.exe; kavsvc.exe; mcvsshld.exe; mcagent.exe; mcvsrte.exe;
      mcshield.exe; mcvsftsn.exe; mcdash.exe; mcvsescn.exe; mcinfo.exe;
      mpfagent.exe; CIzh_DataArrival; mpfservice.exe; mskagent.exe;
      mcmnhdlr.exe; sndsrvc.exe; usrprmpt.exe; ccapp.exe; ccevtmgr.exe;
      spbbcsvc.exe; ccsetmgr.exe; symlcsvc.exe; npfmntor.exe; navapsvc.exe;
      issvc.exe; ccproxy.exe; tmpfw.exe; navapw32.exe; navw32.exe; smc.exe;
      outpost.exe; zlclient.exe; vsmon.exe; isafe.exe; pandaavengine.exe;
      regedit.exe; hijackthis.exe; gcasdtserv.exe; gcasserv.exe;
      pcctlcom.exe; tmntsrv.exe; tmproxy.exe; pcclient.exe; ethereal.exe;
      wpe pro.exe; nat.exe; winsp3.exe; zonealarm.exe; zlclient.exe;
      vsmon.exe; mcupdmgr.exe; pccguide.exe; scrpres.dll; mcvsscrp.dll;
      vsmonapi.dll

Processes with one of the following strings are terminated:
   • KAVPersonal50; Zone Labs Client; Symantec Core LC; services;
      OutpostFirewall; Tmntsrv; tmproxy; TmPfw; PcCtlCom; CAISafe; vsmon;
      SBService; SAVScan; SPBBCSvc; ccSetMgr; ccPwdSvc; ccProxy; SNDSrvc;
      ccEvtMgr; navapsvc; ISSVC; GuardDogEXE; MpfService; MCVSRte; McShield;
      kavsvc

List of services that are disabled:
   • Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
   • System Restore Service
   • Microsoft AntiSpyware Server Process
   • System Restore Service
   • Windows Security Center Service

Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • dynupdate.**********.info
   • bak.**********.info

Mutex:
It creates the following Mutex:
   • ChodeBot 8=D

File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• PE Compact 2.X

See a brief description here.

Description inserted by Catalin Jora on Fri, 28 Oct 2005 10:44 (GMT+1)
Description updated by Catalin Jora on Wed, 02 Nov 2005 11:45 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back