Nume:BDS/Ciadoor.BO
Descoperit pe data de:30/07/2006
Tip:Backdoor Server
ITW:Nu
Numar infectii raportate:Scazut
Potential de raspandire:Scazut
Potential de distrugere:Mediu spre ridicat
Fisier static:Da
Marime:1.218.748 Bytes
MD5:655e5c9ea699d5ead17ad63529e09fe7
Versiune VDF:6.35.1.21
Versiune IVDF:6.35.1.21

 General Alias:
   •  Kaspersky: Backdoor.Win32.Ciadoor.bo
   •  Bitdefender: Backdoor.Ciadoor.FA


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Efecte secundare:
   • Inchide aplicatiile de securitate
   • Creeaza fisiere
   • Creeaza un fisier malware
   • Reduce setarile de securitate
   • Modificari in registri
   • Profita de vulnerabilitatile softului
   • Sustrage informatii
   • Posibilitatea accesului neautorizat la computer


Imediat dupa lansarea in executie, pe ecran este afisat:


 Fisiere Se copiaza in urmatoarele locatii:
   • %SYSDIR%\tz2L7ah3Pa.ini
   • %SYSDIR%\Directx.exe



Sterge copia initiala a virusului.



Sunt create fisierele:

– Un fisier temporar care poate fi sters dupa aceea:
   • %SYSDIR%\del32.bat

– %SYSDIR%\drivers\oreans32.sys
– %SYSDIR%\wsock32.sys Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: BDS/Ciadoor.13.B

– %SYSDIR%\ckl009.dat Acest fisier stocheaza datele introduse de utilizator la tastatura.

 Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
   • "%SYSDIR%\DirectX.exe"="%SYSDIR%\directx.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Generic Host Process"="%SYSDIR%\directx.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   Run
   • "Generic Host Process"="%SYSDIR%\directx.exe"

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
   • "%SYSDIR%\DirectX.exe"="%SYSDIR%\directx.exe"
   •

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
   • "%SYSDIR%\DirectX.exe"="%SYSDIR%\directx.exe"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   • "shell"="Explorer.exe %SYSDIR%\DirectX.exe"

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
   • Generic Host Process"="%SYSDIR%\DirectX.exe"



Urmatoarele chei sunt adaugate in registri pentru a incarca serviciul la repornirea sistemului:

– HKLM\Software\Microsoft\Windows\CurrentVersion\Runservices
   • "Generic Host Process"="%SYSDIR%\DirectX.exe"



Valoarea urmatoarei chei este stearsa din registri:

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{E14DCE67-8FB7-4721-8149-179BAA4D792C}


Inregistreaza un browser helper object (BHO) prin adaugarea urmatoarei chei in registri:

– HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{E14DCE67-8FB7-4721-8149-179BAA4D792C}


Urmatoarele chei sunt adaugate in registrii sistemului:

– HKCR\N.Cs4\Clsid
   • "(Default)"="{E14DCE67-8FB7-4721-8149-179BAA4D792C}"

– HKCR\N.Cs4
   • "(Default)"="N.Cs4"

– HKCR\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\VERSION
   • "(Default)"="3.0"

– HKCR\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\TypeLib]
   • "(Default)"="{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}"

– HKCR\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32
   • "ThreadingModel"="Apartment"
   • "(Default)"="%SYSDIR%\wsock32.sys"

– HKCR\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ProgID
   • "(Default)"="N.Cs4"

– HKCR\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}
   • "(Default)"="N.Cs4"

– HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib
   • "Version"="3.0"
   • "(Default)"="{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}"

– HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\
   ProxyStubClsid32
   • "(Default)"="{00020424-0000-0000-C000-000000000046}"

– HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\
   ProxyStubClsid
   • "(Default)"="{00020424-0000-0000-C000-000000000046}"

– HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}
   • "(Default)"="Cs4"

– HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR
   • "(Default)"="%SYSDIR%"

– HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32
   • "(Default)"="%SYSDIR%\wsock32.sys"

– HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS
   • "(Default)"="0"

– HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0
   • "(Default)"="N"

– HKCU\Software\VB and VBA Program Settings\set\set
   • "set"="tz2L7ah3Pa.ini"

– HKLM\SYSTEM\ControlSet003\Services\Messenger
   • "Start"=dword:00000000

– HKLM\SYSTEM\ControlSet003\Services\ATS
   • "Start"=dword:00000000

– HKCU\Software\Policies\Microsoft\Windows\System
   • "DisableCMD"=dword:00000001

– HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
   • "Disabled"=dword:00000000

– HKCR\..DlI
   • "(Default)"="exefile"

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
   • "run"="%SYSDIR%\DirectX.exe"

– HKLM\SYSTEM\ControlSet001\Services\SENS
   Noua valoare:
   • "Start"=dword:00000000

– HKLM\SYSTEM\ControlSet002\Services\SENS
   Noua valoare:
   • "Start"=dword:00000000

– HKLM\SYSTEM\ControlSet003\Services\SENS
   Noua valoare:
   • "Start"=dword:00000000

– HKLM\SYSTEM\ControlSet001\Services\Nla
   Noua valoare:
   • "Start"=dword:00000000

– HKLM\SYSTEM\ControlSet002\Services\Nla
   Noua valoare:
   • "Start"=dword:0000000

– HKLM\SYSTEM\ControlSet003\Services\Nla
   Noua valoare:
   • "Start"=dword:00000000

– HKLM\SYSTEM\ControlSet001\Services\Messenger
   Noua valoare:
   • "Start"=dword:0000000

– HKLM\SYSTEM\ControlSet002\Services\Messenger
   Noua valoare:
   • "Start"=dword:00000000

– HKLM\SYSTEM\ControlSet001\Services\ATS
   Noua valoare:
   • "Start"=dword:00000000

– HKLM\SYSTEM\ControlSet002\Services\ATS
   Noua valoare:
   • "Start"=dword:00000000

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
   Vechea valoare:
   • "load"=""
   Noua valoare:
   • "load"="%SYSDIR%\DirectX.exe"

 Reţea Exploit:
Foloseste urmatoarele vulnerabilitati:
– MS04-007 (ASN.1 Vulnerability)
– MS05-039 (Vulnerability in Plug and Play)

 Backdoor Servere contactate:

   • doener.no-ip.**********:314

Astfel se pot transmite informatii si se poate obtine control la distanta.

Trimte informatii despre:
    • Captura ecranului
    • Captura imagine de pe webcam
    • Utilizatorul curent
    • Informatii despre procesele sistemului
    • Informatii despre sistemul de operare


Posibilitati de control la distanta:
    • Schimbare director
    • Copiere fisier
    • Sterge fisierul
    • Listare director
    • Afiseaza un mesaj
    • descarcare fisier
    • executarea unui fisier
    • terminare proces
    • Mutare fisier
    • repornirea sistemului
    • trimitere email-uri
    • oprierea sistemului
    • Face upload la un fisier

 Furt de informatii Incearca sa obtina urmatoarele informatii:

– Face captura la:
    • Datele introduse de la tastatura
    • Informatii legate de fereastra

 Injectarea codului malware in alte procese –  Injecteaza fisierul urmator intr-un proces: %SYSDIR%\wsock32.sys


– Se injecteaza ca un thread remote intr-un proces.

    Numele procesului:
   • %PROGRAM FILES%\Internet Explorer\IEXPLORER.exe

   Daca operatiunea se termina cu succes, malware-ul se opreste din executie, iar componenta injectata ramane activa.

 Alte informatii Metode anti-debugging
Daca gaseste, afiseaza urmatorul mesaj si isi termina executia imediat:


 Tehnologie Rootkit  Ascunde urmatoarele:
– Propriile chei de registru

 Detaliile fisierului Limbaj de programare:
 Limbaj de programare folosit: Visual Basic.

Descripción insertada por Bogdan Iliuta el lunes 31 de julio de 2006
Descripción actualizada por Bogdan Iliuta el viernes 4 de agosto de 2006

Volver . . . .