Home / malwarePDF  

Backdoor:Win32/Wkysol.H


First posted on 23 March 2012.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Wkysol.H.

Explanation :

Backdoor:Win32/Wkysol.H is malware that allows backdoor access and control of the affected computer by a remote attacker. It is designed to execute a series of commands on the affected computer.


Top

Backdoor:Win32/Wkysol.H is malware that allows backdoor access and control of the affected computer by a remote attacker. It is designed to execute a series of commands on the affected computer.



Installation

Backdoor:Win32/Wkysol.H is injected into the following processes:

  • firefox.exe
  • iexplorer.exe
  • outlook.exe


It connects to the server "happybehere.com" to send the affected computer's name and IP address to log its presence.

It queries Internet Explorer and Firefox settings for proxy servers used. It then attempts to connect to the Internet using the proxy servers, if available.



Payload

Steals sensitive information

Backdoor:Win32/Wkysol.H performs the following actions to steal sensitive information:

  • Log keystrokes
  • Log when programs are opened and closed
  • Get clipboard contents
  • Get certificate and smart card-related information


It stores the logged keystrokes in the file "%AppData%/Local/MSF5F0.dat".

Allows backdoor access and control

Backdoor:Win32/Wkysol.H allows an attacker to perform a number of actions on an affected computer. These actions may include, but are not limited to, the following:

  • Get system startup time
  • Execute arbitrary commands
  • Get computer network information, such as computer name, IP address, subnet mask, gateway information, DNS/DHCP/Proxy/WINS server information
  • Copy files
  • Move files
  • Load a DLL file or execute an API
  • Unload a DLL file
  • Enumerate files in the affected computer
  • Execute files
  • Get process-related information, such as process names, CPU times, memory usage, and so on
  • Enumerate or get information about open ports in the affected computer
  • Uninstall itself
  • Restart the affected computer
  • Terminate a process
  • Get keylogger logs
  • Get certificate information
  • Get smart card information
  • Perform a number of smart card-related commands, such as executing several card-related APIs, setting the header information, settings the certificate information, and so on


The commands are located in an encrypted file named "%AppData%/Local/MSF5F1.dat", which it downloads from "happybehere.com". After decryption, the commands are placed in a file named "%AppData%/Local/MSF5F4.dat".



Analysis by Edgardo Diaz

Last update 23 March 2012

 

TOP

Malware :

Family: