Trojan was detected in one of the file-sharing networks Chernovtsy June 3, 2004, under the guise of a package with "upgrading" of antivirus database to the program Kaspersky AntiVirus Personal Pro 5.0.13. File calledkav5.0.13_Upd.exe , but it is possible that the name can be changed by hackers. File size - 33,264 bytes(compressed utility "FSG" version 1.33). Is an installation package Trojan Backdoor.PolyHack.33264 .
The backdoor contains many components and has capacity on Windows, from Version 9X and ending with XP.
When you run the above file, the backdoor installs its components to the following system directories: forWindows 9X/ME : WINDOWS \ SYSTEM \ w32_ss.exe (copy-"twin" setup batch file, the backdoor);WINDOWS \ SYSTEM \ debugg.dll (a backdoor program, compressed utility "UPX"; has size 58 032 bytes , and the uncompressed form - 85 168 bytes ); WINDOWS \ SYSTEM \ c3.dll (copy-"twin" file debugg.dll ).for Windows Server 2K/2K / XP: WINDOWS \ SYSTEM32 \ w32_ss.exe (copy-"twin" setup batch file, the backdoor); WINDOWS \ SYSTEM32 \ debugg.dll (a backdoor program, compressed utility "UPX"; has size 25 088 bytes , and the uncompressed form - 52 224 bytes); WINDOWS \ SYSTEM32 \ c3.dll (copy-"twin" filedebugg.dll ); WINDOWS \ SYSTEM32 \ sdmapi.sys (auxiliary file, made in the format of executable DOS 3214 832 bytes in size ); WINDOWS \ SYSTEM32 \ c3.sys (copy-"twin" file sdmapi.sys ); WINDOWS \ SYSTEM32 \ boot32.sys (auxiliary file, made in the format of executable DOS 32, 4096-byte ); WINDOWS \ SYSTEM32 \ c4.sys (copy-"twin" file boot32.sys ). The date and time of modification of all components of the backdoor (except file w32_ss . exe ) assigned to the current date and time (under Windows 9X/ME), or incidental related parameters taken from adjoining components of the backdoor system files (on Windows 2K/2K Server / XP). At some uncertain conditions under Windows 2K/2K Server / XP installation batch file copy w32_ss.exe can not be created by the Trojan. The main component is a backdoor file debugg.dll . This file is registered in the system as "Memory Manager" (Memory Manager - inside the kernel process Windows: the components of the system process EXPLORER.EXE or WINLOGON.EXE for Windows 9X/ME or 2K/2K Server / XP respectively) and at the same time as "Network service "(Network Interface Service Process). As a result, the process debugg.dll does not appear in any of the system lists the active system processes.Furthermore, under Windows 9X/ME Trojan often uses a special process by which the file debugg.dllprotected from some system calls, and is not visible on your hard drive (as a bud its all there). To be able to run the covert at each start of the Trojan creates the registry keys are: under Windows 2K/2K Server / XP:[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows seen under Windows 2K/2K Server / XP file name debugg.dll in line "DLLName" key is written in HEX-encoded to complicate it (the key) detection. Also important is the fact that the infection of one of the machines, interconnected local (office) network, the Trojan may install itself on other machines, where the latter system directory is open for full access.
In the same directory where you installed the components of the Trojan creates the last log file namedklogini.dll , which stores the encrypted vyuzhennye from the appropriate system files, user data: username and password, and account information to connect to your Internet Service Provider , input a password in Windows (if any), network passwords (if any) that are used for connections to other computers in the presence of local (office) network. Apparently, this procedure only works on Windows 9X/ME. Trojan also creates a log file page2.ini , which stores information about the version installed on the infected machine Windows-based system and some overhead. In the future both of the accounting file can be sent to the hackers.
The Trojan also creates a directory with its components of the log file named klog.sys , which writes the values of keys pressed (only after receiving the appropriate command via the Internet network). In carrying out this procedure, the Trojan detects typing with the keyboard, manufactured in the windows of Win32-applications, as well as various text Win32-editors. In addition, in the same report file under Windows 9X/ME recorded the names and locations of all user and system applications that run during system operation, as well as their start time. Later this reporting file can also be sent to the hackers.
When you connect to the Internet opens the Trojan on the infected machine on port 16 661 TCP / IP protocol, waiting for commands from their authors. At the same time under Windows 2K/2K Server / XP Trojan uses some special features auxiliary component sdmapi.sys ( c3.sys ) to bypass firewall (Internet security software) ZoneAlarm and Symantec.
Contaminated car is subjected to forced administration by the secretive hacker machine located by IP-address66.246.38.4 . During this "administration" backdoor creates the system catalogs in respective temporary filesincoming.a3d (writes the commands received from the attackers) and error.a3d (writes the errors that occurred in the process of connecting to the hacker machine). In this case, the basic commands that can execute a backdoor, are the following: - Send the log files klogini.dll , page2.ini and klog.sys to e-mail hacking attempt that Trojan reads the caudal block component debugg.dll ( c3.dll .) A list of addresses zakriptovany and decrypted only at the Trojan receiving the respective teams to dispatch logs. Then generates an e-mail message with the subject "Re", after which the process of sending the attached log files of about 20 addresses, with all the ensuing negative consequences. In carrying out this procedure, the Trojan uses its own SMTP-server (logical mail server sending messages.) - the creation of the log with a list of all available files on the disk. - create / delete files / directories on disk. - download, install and start to run any files through Internet. - file transfer w32_ss.exe under a random name for the machine associated with the infected file-sharing net. - Set rules for remote Administrator an infected machine (limited user rights).
To be able to transfer / adoption / from hacking the machine file, the Trojan creates the infected machine to something like file-sharing network, operating behind the scenes between the hacker and infected machines.This allows an attacker to download with a Trojan on their machine controlled, and then to execute a variety of malicious programs, as well as the desire to receive from her a copy of program files or documents with all the ensuing negative consequences. The process is as follows: at the command the attacker creates a Trojan on the infected machine drive system temporary directory (the directory name may be different, as indicated directly by an intruder), which opens for full access. Next, the Trojan process of downloading files that are transmitted either directly from a remote machine, or using any appropriate procedure to invoke secretly download these files from any boot server is specified by the attacker. After the adoption of the Trojan file executes them.
Among other programs, Trojan may download and install on the target machine some of his additional component called inetmib1.dll and pdx.dll (appointment of these files is unknown to me because of their absence), as well as updated versions of its components.
At the end of the process of uploading files, with appropriate team attacker Trojan deletes the temporary directory you created them with all its contents, is already a file only trash.
The code of all components of the Trojan and some of the reporting file contains the following string "copyright" (possibly an identifier in the presence of an infected system): ) 8 **.+= l8 † x xx IIII During the implementation of its procedures, the backdoor can play some sound-tracks.
Since January 2005, the nomenclature and the names of parts of the Trojan installer of some antivirus companies have been replaced by the following: Anti-Virus Kaspersky AntiVirus :Backdoor.Win32.Haxdoor.l (components sdmapi.sys and c3.sys detected asBackdoor.Win32.Haxdoor.as ) Antivirus BitDefender Professional : Backdoor.Haxdoor.C Antivirus DrWeb: BackDoor.Death.120 If you find a car of this Trojan, removal of all its components is recommended to change all passwords used in the system (such as a password to connect to the Internet) as well as bank account numbers, if the information stored in the computer during its infection.
The study of malicious code and development description: Broido Herman (aka VirusHunter)
Date Created: 05/06/2004
Date of last change: 15.06.2005
Author Description: Broido Herman (aka VirusHunter)
No comments:
Post a Comment