BDS/Frauder.bu - Backdoor Server

See also

Summary

Full description

Statistics

Virus:	BDS/Frauder.bu
Date discovered:	29/08/2008
Type:	Backdoor Server
In the wild:	Yes
Reported Infections:	Low to medium
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	No
File size:	~203.776 Bytes
IVDF version:	7.00.06.89 - Fri, 29 Aug 2008 08:45 (GMT+1)

General Method of propagation:
   • No own spreading routine

Aliases:
   • Symantec: Trojan.Blusod
   • Mcafee: Downloader-ASH.gen.b trojan
   • Kaspersky: Backdoor.Win32.Frauder.bu
   • F-Secure: Backdoor.Win32.Frauder.bu
   • Sophos: Mal/EncPk-EU
   • Panda: Adware/RogueAntimalware2008
   • Grisoft: Downloader.FraudLoad.N
   • Eset: a variant of Win32/Kryptik.E trojan
   • Bitdefender: Trojan.FakeAlert.ACR

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

It displays the content of a created pictorial file:

Files It copies itself to the following location:
• %SYSDIR%\lphc1boj0e39c.exe

The following files are created:

– %TEMPDIR%\.tt1.tmp.vbs Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: VBS/Agent.1002

– %SYSDIR%\blphc1boj0e39c.scr Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: JOKE/BlueScreen.B

– %SYSDIR%\phc1boj0e39c.bmp Further investigation pointed out that this file is malware, too. Detected as: TR/Fakealert.AAF

It tries to download a file:

– The location is the following:
• http://stat.antivirusxp-2008.net/**********/common/16.gif
It is saved on the local hard drive under: C:\Documents and Settings\makrorechner\Local Settings\Temp\.tt4.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Furthermore it contains malicious code.

Registry One of the following values is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "lphc1boj0e39c"="%SYSDIR%\lphc1boj0e39c.exe"

The following registry keys are added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "NoDispBackgroundPage"=dword:00000001
   • "NoDispScrSavPage"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Software Notifier]
   • "InstallID"="858948ee-a000-4255-86f8-9e3baeb448b6"

The following registry keys are changed:

– [HKCU\Control Panel\Colors]
   New value:
   • "Background"="0 0 255"

– [HKCU\Control Panel\Desktop]
   New value:
   • "WallpaperStyle"="0"
     "TileWallpaper"="0"
     "Wallpaper"="%SYSDIR%\phc1boj0e39c.bmp"
     "OriginalWallpaper"="%SYSDIR%\phc1boj0e39c.bmp"
     "ConvertedWallpaper"="%SYSDIR%\phc1boj0e39c.bmp"
     "SCRNSAVE.EXE"="%SYSDIR%\blphc1boj0e39c.scr"
     "ScreenSaveActive"="1"
     "ScreenSaveTimeOut"="600"

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Andreas Feuerstein on Fri, 05 Sep 2008 10:42 (GMT+1)
Description updated by Andreas Feuerstein on Fri, 05 Sep 2008 11:52 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back