Home / malware

PDF

Backdoor:MSIL/Pontoeb.N

First posted on 12 June 2012.
Source: Microsoft

Aliases :

Backdoor:MSIL/Pontoeb.N is also known as Trojan.Agent.AVFA (BitDefender), Trojan.DownLoader6.3425 (Dr.Web), MSIL/Agent.NLB (ESET), Trojan-Dropper.Win32.Dapato.baff (Kaspersky), Generic Dropper!1qq (McAfee), W32/Agent.AASJB (Norman), Troj/Agent-VTP (Sophos), TROJ_DROPPER.VNK (Trend Micro).

Explanation :

Backdoor:MSIL/Pontoeb.N is a trojan that connects to a remote server to listen for commands, sent by an attacker, that instruct the trojan to perform various payloads. The payloads could include instructions to download files, gather and send details about your computer, initiate flood attacks against other computers and update the trojan code.



Installation

This trojan may be distributed on file sharing networks as a 'keygen' or serial key generator. If this trojan is run, it will copy itself as files in certain folders, as in the following examples:

• C:\Users\Administrator\AppData\Roaming\wscntfy.exe
• C:\Users\Administrator\AppData\Roaming\wpnetwk.exe
• C:\Program Files\Common Files\lsmass.exe

The trojan bypasses the Windows Firewall by adding its files to the list of authorized applications that is stored in the system registry, and it will run whenever you start Windows.



Payload

Changes Windows settings

Backdoor:MSIL/Pontoeb.N changes Windows settings to perform the following:

• Disables alerts that display when an application tries to run and requires administrator (elevated) privileges
• Prevents Windows from displaying files marked as 'hidden'

Allows unauthorized remote access and control

Backdoor:MSIL/Pontoeb.N connects to one of these remote servers to listen for commands, sent by an attacker, that instruct the trojan to perform various payloads:

• 77.79.4.101
• 77.79.7.229
• agree.netau.net
• bot.spl0id.u2m.ru
• global-carding.ru
• hack2crew.org
• hcgcrew.info
• mynewclan.webuda.com
• seeq.u2m.ru
• tony45.host.sk
• sybli.host22.com
• xxtony.host.sk
• zonja.ru

The trojan will respond to commands sent by an attacker that could instruct Pontoeb to perform the following:

• Connect to a specified website
• Download files
• Gather the following information about the affected computer, such as:
• Disk drive serial number
• System drive details
• Operating system
• Processor architecture
• Perform flood attacks using HTTP, SYN, and UDP protocol
• Update itself

Additional information

This trojan makes many changes to the Windows registry, including the following:

Purpose: execute when Windows starts

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows-Audio Driver"
With data: "%AppData%\wscntfy.exe" or "%AppData%\wpnetwk.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Windows-Network Component"
With data: "%CommonProgramFiles%\lsmass.exe"

Sets value: "StubPath"
With data: "%AppData%\wscntfy.exe -r"
In one of the following subkeys:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{125728E1-D0D8-9709-F968-AC75FBF77101}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1403017C-5B8A-E789-7BA8-D843BC94727C}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{190C3C45-CEA9-FEE4-96E6-7E9286F72E6B}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{19F96D35-45BE-1E2B-1DDA-CAE53A6D4ED6}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{28FA909A-B618-30E4-F00E-D566C11F3D0D}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3B667F27-AA8D-874B-068E-00D0D6BB8798}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{60F2CA65-D2E6-9C90-50A0-46CDB63D3F87}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{61B7C2C5-027D-90CA-DBB5-E157D18EBFA4}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75EC2D18-B4B0-57F8-1941-B9EA808AA7F5}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{7C54CA08-4C16-5ACF-945C-0227E77F4FF7}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{7F6109A4-597C-6D5A-FB3D-8ABE725C9624}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8C2B1E48-B3CB-F958-CE56-2403872CF622}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A0592843-6AB9-8676-F4F4-96591B5EC8E1}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{B42AE212-5EAA-DB02-2D24-AA72115C74FB}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{E014DC60-61D9-FF40-A7DD-BB1A45C47D4E}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{e27ac189-154d-11dd-8f2b-806d6172696f}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{E39ACFFE-61E0-BF19-95B4-824D6CA0306E}

Purpose: Disable system alert messages when running an application that normally requires administrator rights to execute, such as malware or unknown programs

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"

Purpose: Do not display files marked as hidden, even if the option to view hidden files is enabled under 'Folder Options' in Windows Explorer

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "2"

Purpose: Add the malware to a list of authorized or approved programs that can run without being restricted by Windows Firewall

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Sets value: "%CommonProgramFiles%\lsmass.exe"
With data: "%CommonProgramFiles%\lsmass.exe:*:enabled:windows-audio driver"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%CommonProgramFiles%\lsmass.exe"
With data: "%CommonProgramFiles%\lsmass.exe:*:enabled:windows-audio driver"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Sets value: "%AppData%\wscntfy.exe" or "%AppData%\wpnetwk.exe"
With data: "%AppData%\wscntfy.exe:*:enabled:windows-audio driver" or "%AppData%\wpnetwk.exe:*:enabled:windows-audio driver"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%AppData%\wscntfy.exe" or "%AppData%\wpnetwk.exe"
With data: "%AppData%\wscntfy.exe:*:enabled:windows-audio driver" or "%AppData%\wpnetwk.exe:*:enabled:windows-audio driver"

Purpose: Do not log Windows driver event tracing sessions to a file (Additional details about Windows driver event tracing)

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg
Sets value: "LogSessionName"
With data: "stdout"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier
Sets value: "Guid"
With data: "5f31090b-d990-4e91-b16d-46121d0255aa"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy
Sets value: "LogSessionName"
With data: "stdout"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier
Sets value: "Guid"
With data: "5f31090b-d990-4e91-b16d-46121d0255aa"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil
Sets value: "LogSessionName"
With data: "stdout"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier
Sets value: "Guid"
With data: "8aefce96-4618-42ff-a057-3536aa78233e"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
Sets value: "LogSessionName"
With data: "stdout"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
Sets value: "Guid"
With data: "710adbf0-ce88-40b4-a50d-231ada6593f0"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
Sets value: "LogSessionName"
With data: "stdout"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
Sets value: "Guid"
With data: "b0278a28-76f1-4e15-b1df-14b209a12613"



Analysis by Hyun Choi

Last update 12 June 2012

 

TOP