Home / malwarePDF  

Backdoor:Win32/Caphaw.A


First posted on 22 November 2011.
Source: SecurityHome

Aliases :

Backdoor:Win32/Caphaw.A is also known as Backdoor.Win32.Caphaw (Ikarus).

Explanation :

Backdoor:Win32/Caphaw.A is a trojan that allows unauthorized access and control of an affected computer.


Top

Backdoor:Win32/Caphaw.A is a trojan that allows unauthorized access and control of an affected computer.



Installation

When executed, Backdoor:Win32/Caphaw.A makes a copy of itself in a variable location, such as the following:

  • %AppData%\adobe\linguistics\dictionaries\adobe custom dictionary\all\
  • %AppData%\adobe\linguistics\dictionaries\adobe custom dictionary\eng\
  • %AppData%\microsoft\cryptneturlcache\metadata\
  • %AppData%\microsoft\drm\
  • %AppData%\microsoft\excel\xlstart\
  • %AppData%\microsoft\internet explorer\
  • %AppData%\microsoft\office\
  • %AppData%\microsoft\word\


with a variable file name such as any of the following:

  • csrss.exe
  • eventvwr.exe
  • expand.exe
  • ie4uinit.exe
  • mem.exe
  • mobsync.exe
  • qappsrv.exe
  • route.exe
  • rundll32.exe
  • winmine.exe


Note that legitimate files also named "csrss.exe" and "rundll32.exe" exist by default in the Windows system folder.

The malware creates approximately 20 mutexes named "MTX_<random hex number>" (for example, "MTX_9F5977F52104E883ACC0E9DEACC0E9DE").

It modifies the registry to ensure it runs at each Windows restart:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random CLSID>" (for example, {FAD5ADC3-DABB-6BFF-ED11-CB329C7D70E2})
With data: "<full installation path>" (for example "%AppData%\Microsoft\Excel\xlstart\winmine.exe")

It deletes itself after it has performed its malicous routine by running a BAT file that it also drops. To run the BAT file, it runs the following command:

<system folder>\cmd.exe /c <install folder>\7.TMP.BAT

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Backdoor:Win32/Caphaw.A injects itself into the following processes to hinder detection and removal:

  • firefox.exe
  • iexplore.exe
  • explorer.exe
  • reader_sl.exe


Payload

Allows backdoor access and control

Backdoor:Win32/Caphaw.A attempts to communicate using TCP port 443 to certain servers, such as the following:

  • web<removed>es.cc
  • exte<removed>adv.cc
  • no<removed>here.cc
  • commonworld<removed>.cc


An attacker can perform any number of different actions on an affected computer infected with this threat, such as:

  • Control of the system desktop, which allows the attacker to see the desktop, and to gain control of the mouse and keyboard
  • Access to files and folder via a internal FTP server
  • Redirect Internet traffic via a proxy server
  • Send ICMP packets that can be used in distributed denial-of-service (DDoS) attacks
  • Log and redirect web traffic from Mozilla Firefox and Internet Explorer
  • Update itself
  • Shut down or restart the computer
Additional information

This threat has been observed spreading as a post on users' Facebook walls:





Analysis by Mihai Calota

Last update 22 November 2011

 

TOP