BackDoor.IRC.Bot.650

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe] 'Debugger' = 'MsTvClient.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe' = 'ctfmon.exe'

Creates the following files on removable media:

<Drive name for removable media>:\Autorun.inf
<Drive name for removable media>:\~data\686750.exe

Malicious functions:

To bypass firewall, removes or modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '<SYSTEM32>\MsTvClient.exe' = '<SYSTEM32>\MsTvClient.exe:*:Enabled:LAN Router'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\MsTvClient.exe' = '<SYSTEM32>\MsTvClient.exe:*:Enabled:LAN Router'

To complicate detection of its presence in the operating system,

blocks the following features:

Windows Security Center

Creates and executes the following:

<SYSTEM32>\MsTvClient.exe <Full path to virus>

Executes the following:

<SYSTEM32>\sc.exe config SbPF.Launcher start= disabled
<SYSTEM32>\sc.exe stop SbPF.Launcher
<SYSTEM32>\net.exe stop SPF4
<SYSTEM32>\sc.exe delete SbPF.Launcher
<SYSTEM32>\sc.exe delete vsmon
<SYSTEM32>\sc.exe config vsmon start= disabled
<SYSTEM32>\net.exe stop SbPF.Launcher
<SYSTEM32>\net1.exe stop vsmon
<SYSTEM32>\net.exe stop acssrv
<SYSTEM32>\net1.exe stop SPF4
<SYSTEM32>\sc.exe config acssrv start= disabled
<SYSTEM32>\sc.exe stop acssrv
<SYSTEM32>\sc.exe config SPF4 start= disabled
<SYSTEM32>\sc.exe stop SPF4
<SYSTEM32>\net1.exe stop SbPF.Launcher
<SYSTEM32>\sc.exe delete SPF4
<SYSTEM32>\sc.exe delete SmcService
<SYSTEM32>\sc.exe config SmcService start= disabled
<SYSTEM32>\net.exe stop SmcService
<SYSTEM32>\sc.exe stop SmcService
<SYSTEM32>\sc.exe config KPF4 start= disabled
<SYSTEM32>\sc.exe stop KPF4
<SYSTEM32>\sc.exe delete KPF4
<SYSTEM32>\net1.exe stop KPF4
<SYSTEM32>\sc.exe stop vsmon
<SYSTEM32>\sc.exe delete cmdAgent
<SYSTEM32>\net1.exe stop cmdAgent
<SYSTEM32>\net.exe stop vsmon
<SYSTEM32>\net.exe stop cmdAgent
<SYSTEM32>\sc.exe config cmdAgent start= disabled
<SYSTEM32>\net1.exe stop SmcService
<SYSTEM32>\sc.exe stop cmdAgent
<SYSTEM32>\sc.exe delete acssrv
<SYSTEM32>\net1.exe /C sc delete "Sophos Client Firewall"
<SYSTEM32>\sc.exe /C sc stop "Sophos Client Firewall"
<SYSTEM32>\sc.exe config "Sophos Client Firewall" start= disabled
<SYSTEM32>\sc.exe stop "Sophos Client Firewall"
<SYSTEM32>\net1.exe stop "Sophos AutoUpdate Service"
<SYSTEM32>\sc.exe /pid=3812
<SYSTEM32>\sc.exe /pid=3004
<SYSTEM32>\sc.exe delete "Sophos AutoUpdate Service"
<SYSTEM32>\sc.exe config "Sophos Client Firewall Manager" start= disabled
<SYSTEM32>\net.exe stop "Sophos Client Firewall Manager"
<SYSTEM32>\net1.exe stop "Sophos Client Firewall Manager"
<SYSTEM32>\sc.exe delete "Sophos Client Firewall Manager"
<SYSTEM32>\net1.exe /pid=3516
<SYSTEM32>\sc.exe delete "Sophos Client Firewall"
<SYSTEM32>\sc.exe stop "Sophos Client Firewall Manager"
<SYSTEM32>\net1.exe stop "Sophos Client Firewall"
<SYSTEM32>\net1.exe /pid=1124
<SYSTEM32>\sc.exe delete SAVService
<SYSTEM32>\net1.exe stop SAVAdminService
<SYSTEM32>\net1.exe stop SAVService
<SYSTEM32>\sc.exe stop SAVService
<SYSTEM32>\net1.exe stop acssrv
<SYSTEM32>\sc.exe /pid=3692
<SYSTEM32>\net1.exe config SavService start= disabled
<SYSTEM32>\sc.exe /pid=3924
<SYSTEM32>\sc.exe /pid=2528
<SYSTEM32>\sc.exe config "Sophos AutoUpdate Service" start= disabled
<SYSTEM32>\net.exe stop "Sophos AutoUpdate Service"
<SYSTEM32>\sc.exe config SAVAdminService start= disabled
<SYSTEM32>\net.exe stop SAVAdminService
<SYSTEM32>\sc.exe delete SAVAdminService
<SYSTEM32>\sc.exe /pid=248
<SYSTEM32>\net.exe stop KPF4
<SYSTEM32>\sc.exe stop "avast! Antivirus"
<SYSTEM32>\net.exe stop "avast! Antivirus"
<SYSTEM32>\sc.exe delete "avast! Antivirus"
<SYSTEM32>\sc.exe config "avast! Antivirus" start= disabled
<SYSTEM32>\sc.exe config K7TSMngr start= disabled
<SYSTEM32>\sc.exe stop K7TSMngr
<SYSTEM32>\net1.exe stop K7TSMngr
<SYSTEM32>\sc.exe delete K7TSMngr
<SYSTEM32>\sc.exe delete AntiVirService
<SYSTEM32>\net1.exe stop AntiVirService
<SYSTEM32>\sc.exe stop PASRV
<SYSTEM32>\net.exe stop PASRV
<SYSTEM32>\net.exe stop AntiVirService
<SYSTEM32>\net1.exe stop "avast! Antivirus"
<SYSTEM32>\sc.exe config AntiVirService start= disabled
<SYSTEM32>\sc.exe stop AntiVirService
<SYSTEM32>\net.exe stop MsMpSvc
<SYSTEM32>\net1.exe stop CSIScanner
<SYSTEM32>\sc.exe config MsMpSvc start= disabled
<SYSTEM32>\sc.exe stop MsMpSvc
<SYSTEM32>\sc.exe config CSIScanner start= disabled
<SYSTEM32>\net.exe stop CSIScanner
<SYSTEM32>\sc.exe delete CSIScanner
<SYSTEM32>\sc.exe stop CSIScanner
<SYSTEM32>\sc.exe delete K7RTScan
<SYSTEM32>\sc.exe config K7RTScan start= disabled
<SYSTEM32>\net1.exe stop K7RTScan
<SYSTEM32>\net.exe stop K7TSMngr
<SYSTEM32>\sc.exe delete MsMpSvc
<SYSTEM32>\net1.exe stop MsMpSvc
<SYSTEM32>\sc.exe stop K7RTScan
<SYSTEM32>\net.exe stop K7RTScan
<SYSTEM32>\sc.exe config PASRV start= disabled
<SYSTEM32>\net.exe stop OutpostFirewall
<SYSTEM32>\sc.exe delete McShield
<SYSTEM32>\net1.exe stop McShield
<SYSTEM32>\sc.exe stop OutpostFirewall
<SYSTEM32>\net.exe stop McShield
<SYSTEM32>\net1.exe stop avg9wd
<SYSTEM32>\sc.exe config McShield start= disabled
<SYSTEM32>\sc.exe stop McShield
<SYSTEM32>\net.exe stop TmPfw
<SYSTEM32>\sc.exe config TmPfw start= disabled
<SYSTEM32>\net1.exe stop TmPfw
<SYSTEM32>\sc.exe delete TmPfw
<SYSTEM32>\net1.exe stop OutpostFirewall
<SYSTEM32>\sc.exe config OutpostFirewall start= disabled
<SYSTEM32>\sc.exe stop TmPfw
<SYSTEM32>\sc.exe delete OutpostFirewall
<SYSTEM32>\sc.exe delete VSSERV
<SYSTEM32>\sc.exe config VSSERV start= disabled
<SYSTEM32>\net.exe stop avg8wd
<SYSTEM32>\net1.exe stop VSSERV
<SYSTEM32>\net1.exe stop PASRV
<SYSTEM32>\sc.exe delete PASRV
<SYSTEM32>\sc.exe stop VSSERV
<SYSTEM32>\net.exe stop VSSERV
<SYSTEM32>\sc.exe stop avg9wd
<SYSTEM32>\net.exe stop avg9wd
<SYSTEM32>\sc.exe delete avg9wd
<SYSTEM32>\sc.exe config avg9wd start= disabled
<SYSTEM32>\sc.exe config avg8wd start= disabled
<SYSTEM32>\sc.exe stop avg8wd
<SYSTEM32>\net1.exe stop avg8wd
<SYSTEM32>\sc.exe delete avg8wd

Injects code into

the following system processes:

<SYSTEM32>\cmd.exe
<SYSTEM32>\net.exe
<SYSTEM32>\net1.exe
%WINDIR%\Explorer.EXE
<SYSTEM32>\sc.exe

Terminates or attempts to terminate

the following user processes:

zlclient.exe
GUARD.EXE

Searches for windows to

detect analytical utilities:

ClassName: 'PROCMON_WINDOW_CLASS' WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'

detect programs and games:

ClassName: 'gdkWindowToplevel' WindowName: 'The Wireshark Network Analyzer'

Hides the following processes:

<Full path to virus>

Modifies file system :

Creates the following files:

%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\debug[1].zip
<SYSTEM32>\MsTvClient.exe

Sets the 'hidden' attribute to the following files:

<SYSTEM32>\MsTvClient.exe

Deletes itself.

Network activity:

Connects to:

'co##.##nts0m3mor3.com':80

TCP:

HTTP GET requests:

co##.##nts0m3mor3.com/net/debug.zip

UDP:

DNS ASK ns###.##rbertnsvinkle.com
DNS ASK ns###.#azibmahmoud.com
DNS ASK ns###.##esavemachine.com
DNS ASK ns###.###dvenauctionhouse.net
DNS ASK ns###.#otornot-tw.com
DNS ASK ns###.##nicregistrar.com
DNS ASK ns###.#wnameservers.net
DNS ASK ns###.##gicsavings4all.com
DNS ASK ns###.##rfthewavesinc.net
DNS ASK co##.##nts0m3mor3.com
DNS ASK ns##.###tysurfboards.net
DNS ASK ns###.##rfingsuppliesco.net
DNS ASK ns###.#avehugedaily.com
DNS ASK ns###.#aveitallbaby.com
DNS ASK ns###.##dsurfingsupply.net

Miscellaneous:

Searches for the following windows:

ClassName: 'PROCEXPL' WindowName: ''
ClassName: '#32770' WindowName: 'Regshot 1.8.2'
ClassName: 'TCPViewClass' WindowName: ''
ClassName: 'CNetmonMainFrame' WindowName: 'Microsoft Network Monitor 3.3'
ClassName: 'SmartSniff' WindowName: 'SmartSniff'

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial