Home / malware Backdoor:Win32/Darkshell.B
First posted on 13 September 2011.
Source: SecurityHomeAliases :
There are no other names known for Backdoor:Win32/Darkshell.B.
Explanation :
Backdoor:Win32/Darkshell.B is a backdoor trojan that infects executable files and spreads through removable drives, as well as contacting a remote host in order to perform further malicious actions on the compromised computer.
Top
Backdoor:Win32/Darkshell.B is a backdoor trojan that infects executable files and spreads through removable drives, as well as contacting a remote host in order to perform further malicious actions on the compromised computer.
Installation
Upon execution, Backdoor:Win32/Darkshell.B creates a copy of itself in the following file location and registers this copy as a service so it runs at each Windows start:
- <system folder>\drivers\svchost.exe
Win32/Darkshell.B then launches this copy and deletes its original executable from the computer.
The backdoor also creates copies of itself in the following file locations using randomly generated file names:
- <system folder>\<random 5-letters>.exe
- <system folder>\drivers\<random 5-letters>.exe
- <system folder>\dllcache\<random 5-letters>.exe
- <system folder>\ime\<random 5-letters>.exe
- %ProgramFiles%\common files\microsoft shared\<random 5-letters>.exe
- %ProgramFiles%\internet explorer\connection wizard\<random 5-letters>.exe
- %ProgramFiles%\windows media player\<random 5-letters>.exe
- %windir%\addins\<random 5-letters>.exe
- %windir%\system\<random 5-letters>.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Spreads via...
Removable drives
Backdoor:Win32/Darkshell.B may receive instructions from a remote host to spread via removable drives. Darkshell.B may copy itself to any removable drives on the system using the file name "setup.exe", as well as creating an "autorun.inf" file in the drive that launches "setup.exe", if the Autorun feature is enabled on the compromised computer.
It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
Payload
Modifies executable files
Backdoor:Win32/Darkshell.B modifies files with ".exe" file extensions in all fixed drives so that when these files are launched, a copy of the malware is also executed. The modified files are detected as Virus:Win32/Luder.B. Backdoor:Win32/Darkshell.B avoids infecting files that are in the following directories:
- \Windows
- \WinNT
- \Windows NT
- \Documents and Settings
- \System Volume Information
- \Recycled
- \WindowsUpdate
- \Windows Media Player
- \Outlook Express
- \Internet Explorer
- \NetMeeting
- \ComPlus Applications
- \Messenger
- \Microsoft Frontpage
- \Movie Maker
- \NetMeeting
Contacts remote hosts
In the wild, we have observed Backdoor:Win32/Darkshell.B attempting to contact the following remote host through port 1981:
- hackpigpig.3322.org
The malware parses information received from the host to interpret other host servers with which to connect. Darkshell also sends system information to the host such as the system's computer name, Windows version, and amount of RAM.
Darkshell may also receive commands from the host that allow it to perform a number of actions on the infected computer, such as:
- Remove itself from the system
- Download and execute files
- Execute files
- Spread through removable drives
Downloads and executes arbitrary files
Through its backdoor component, Win32/Darkshell.B may receive instructions to download and execute an arbitrary file from a specific URL. If ordered to do so, the backdoor saves the file to the file location "C:\pagefile.pif" and executes it.
Analysis by Amir Fouda
Last update 13 September 2011
