Home / malwarePDF  

Backdoor:Win32/Caphaw.D


First posted on 05 September 2012.
Source: Microsoft

Aliases :

Backdoor:Win32/Caphaw.D is also known as BDS/Caphaw.D.66 (Avira), Backdoor.Win32.Caphaw (Ikarus).

Explanation :



Backdoor:Win32/Caphaw.D is a trojan that allows unauthorized access and control to your computer.



Installation

When executed, Backdoor:Win32/Caphaw.D makes a copy of itself in a variable location, such as one of the following:

  • %AppData%\adobe
  • %AppData%\adobe\acrobat\8.0\preferences
  • %AppData%\adobe\acrobat\8.0\synchronizer\metadata
  • %AppData%\adobe\linguistics\dictionaries
  • %AppData%\adobe\linguistics\dictionaries\adobe custom dictionary\all
  • %AppData%\adobe\linguistics\dictionaries\adobe custom dictionary\brt
  • %AppData%\adobe\linguistics\dictionaries\adobe custom dictionary\eng
  • %AppData%\limewire
  • %AppData%\microsoft\excel\xlstart
  • %AppData%\microsoft\templates
  • %AppData%\shareaza
  • %AppData%\winmx music


with a variable file name, such as any of the following:

  • arp.exe
  • cliconfg.exe
  • dfrgfat.exe
  • gdi.exe
  • lsass.exe
  • mshearts.exe
  • qwinsta.exe
  • sdbinst.exe
  • slrundll.exe
  • spoolsv.exe
  • taskkill.exe
  • taskman.exe
  • taskmgr.exe
  • winlogon.exe
  • wpabaln.exe


Note that the following legitimate files exist by default in the Windows system folder:

  • arp.exe
  • cliconfg.exe
  • lsass.exe
  • qwinsta.exe
  • sdbinst.exe
  • spoolsv.exe
  • taskkill.exe
  • taskmgr.exe
  • winlogon.exe


It modifies the registry to ensure it runs at each Windows restart:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random CLSID>" (for example, {81609907-FFED-EC46-7CA6-F8CF6C5B8516})
With data: "<full installation path>" (for example "%AppData%\adobe\linguistics\dictionaries\adobe custom dictionary\eng\taskman.exe")

The malware creates a mutex that matches the random CLSID (for example, 81609907FFEDEC467CA6F8CF6C5B851681609907F81609907). It may do this to ensure that only one copy of the malware is running on your computer at any one time.

It injects code into explorer.exe, then deletes itself after it has performed its malicious routine.

Backdoor:Win32/Caphaw.D injects itself into the following processes in an effort to hinder detection and removal:

  • cmd.exe
  • DW20.EXE
  • ElementClient.exe
  • explorer.exe
  • fescom.exe
  • fsav.exe
  • game.exe
  • inort.exe
  • Kavstart.exe
  • mrt.exe
  • Persephone.exe
  • QQgame.exe
  • reader_sl.exe


Payload

Allows backdoor access and control

Backdoor:Win32/Caphaw.D attempts to communicate, using TCP port 443, to certain servers, such as the following:

  • barclays-touchclarity.cc
  • dig-services.su
  • main-protec.at
  • paragua-store.su
  • plc-statistics.su
  • some-system.cc
  • struc-main.su
  • upd-stat.cc
  • worldwide-statistics.net


Using this backdoor, an attacker can perform any number of different actions on an affected computer, such as:

  • Take control of your computer's desktop, which allows the attacker to see the desktop, and to gain control of the mouse and keyboard
  • Access files and folders via an internal FTP server
  • Redirect Internet traffic via a proxy server
  • Send ICMP (Internet Control Message Protocol) packets that can be used in distributed denial-of-service (DDoS) attacks
  • Log and redirect web traffic from Mozilla Firefox and Internet Explorer
  • Update itself
  • Shut down or restart your computer




Analysis by Hyun Choi

Last update 05 September 2012

 

TOP

Malware :

Family: