Home / malwarePDF  

Backdoor:Win32/Poison.gen!F


First posted on 09 February 2012.
Source: Microsoft

Aliases :

Backdoor:Win32/Poison.gen!F is also known as Trojan.DownLoader5.17564 (Dr.Web), Trojan.Win32.Toryasi (Ikarus), Trojan horse SHeur2.CLIE (AVG), Trojan.Generic.5028360 (BitDefender).

Explanation :

Backdoor:Win32/Poison.gen!F is a variant of Win32/Poison, a backdoor family that allows unauthorized access and control of an affected computer. Backdoor:Win32/Poison.gen!F disguises itself as a screensaver with a Thanksgiving theme.
Top

Backdoor:Win32/Poison.gen!F is a variant of Win32/Poison, a backdoor family that allows unauthorized access and control of an affected computer. Backdoor:Win32/Poison.gen!F disguises itself as a screensaver with a Thanksgiving theme.



Installation

When run, Backdoor:Win32/Poison.gen!F drops and executes a copy of itself to the %TEMP% folder as a file with a .tmp extension. In the wild, we have observed the malware arriving as Thanks.scr, and dropping itself as %TEMP%\Thanks.tmp. It may create a text file named %TEMP%\cchstinst.log file that contains the original execution location of the malware.

It disguises its malicious behavior by dropping a clean screensaver and running it. The screensaver displays several Thanksgiving images similar to the following:





In the background, it silently drops its malicious file and executes it. The main malicious executable drops a copy of itself to the following locations:

  • <system folder>\wmdmps16.exe
  • <system folder>\dllcache\u67tre4.sys


Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

The clean screensaver may create the following registry entries:

In subkey: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
Sets value: "screensaver make with photo screensaver maker v3.6.2"
With data: "%TEMP%\Malware.scr"

It modifies the following registry entry to ensure that its copy executes at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "IgfxTray"
With data: "wmdmps16.exe"

It also creates the following registry entries as part of its installation process:

In subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6CE85E07-F03B-D49E-69AA-6B3434293707}
Sets value: "StubPath"
With data: "wmdmps16.exe"
Sets value: "@"
With data: "Microsoft VM"
Sets value: "ComponentID"
With data: "JAVAVM"
Sets value: "Version"
With data: "5,1,3802,0"

In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER
Sets value: "NextInstance"
With data: "0x00000001"

In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
Sets value: "Class"
With data: "LegacyDriver"
Sets value: "ClassGUID"
With data: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
Sets value: "ConfigFlags"
With data: "0x00000000"
Sets value: "DeviceDesc"
With data: "IpFilterDriver"
Sets value: "Legacy"
With data: "0x00000001"
Sets value: "Service"
With data: "IpFilterDriver"
Sets value: "DeviceDesc"
With data: "IP Traffic Filter Driver"

In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000\Control
Sets value: "*NewlyCreated*"
With data: "0x00000000"
Sets value: "ActiveService"
With data: "IpFilterDriver"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\IpFilterDriver\Enum
Sets value: "0"
With data: "Root\LEGACY_IPFILTERDRIVER\0000"
Sets value: "Count"
With data: "0x00000001"
Sets value: "NextInstance"
With data: "0x00000001"

As part of its installation process, it creates a mutex named "LoadLibraryEx2" to ensure that only one copy of the malware runs at any given time.



Payload

Allows backdoor access and control

Backdoor:Win32/Poison.gen!F allows unauthorized access of an affected computer; it communicates with a remote server to send and receive commands. An attacker can perform any number of different actions on an affected computer using this backdoor. This could include, but is not limited to, the following actions:

  • Download and execute arbitrary files
  • Open command shell
  • Upload files
  • Steal sensitive information


The backdoor starts Internet Explorer and injects code into it, in an attempt to evade common firewall programs. Once injected into the iexplore.exe process, it connects to the remote server to send information about the affected computer and receive commands. These commands may include downloading and executing arbitrary files.

The following information is sent to the remote server:

  • Username
  • Host name and IP
  • Computer name
  • Operating system version


In the wild, we have observed the backdoor attempting to connect to the following remote server:

  • nobody.serveftp.com


Deletes files

The malware creates an entry in the following registry in order to delete its installation files:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager PendingFileRenameOperations
hex(7):<path names of the transient files that the malware wants to delete after reboot> (for example, '\\??\\<PATH>\\Thanks.scr\x00\x00\\??\\%Temp%\\~DF9EA2.tmp\x00\x00\\??\\%Temp%\\~DF9EBD.tmp\x00\x00\\??\\%Temp%\\~DF9EBD.tmp\x00\x00\x00')

Modifies system settings

The malware modifies the affected computer's browser settings by making the following changes to the registry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Sets value: "ProxyBypass"
With data: "1"



Analysis by Rex Plantado

Last update 09 February 2012

 

TOP

Malware :

Family: