Home / malwarePDF  

Backdoor:MSIL/Pontoeb.G


First posted on 02 April 2013.
Source: Microsoft

Aliases :

Backdoor:MSIL/Pontoeb.G is also known as Worm/Win32.Arcdoor (AhnLab), W32/Trojan2.NFSU (Command), Worm.MSIL.Arcdoor.ae (Kaspersky), W32/Smallworm.AKWT (Norman), Worm/Msil (AVG), Worm/MSIL.Arcdo.aea (Avira), MSIL/Arcdoor.AE worm (ESET), Worm.MSIL (Ikarus), Mal/MSIL-BA (Sophos).

Explanation :



Installation

If you are currently running as an administrator in your computer, this malware copies itself as the following:

  • <system folder>\audiohd.exe
  • %CommonProgramFiles%\wudhost.exe


To make sure it runs at each Windows start, it creates the following registry entries:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Audio Driver"
With data: "%SystemDrive%\audiohd.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Windows-Network Component"
With data: "%ProgramFiles%\Common Files\wudhost.exe"

If you're running not as an administrator, it copies itself to the following locations instead:

  • %APPDATA%\audiohd.exe
  • %TEMP%\wudhost.exe


And the registry entries are as follows:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Audio Driver"
With data: "%AppData%\audiohd.exe"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Windows-Network Component"
With data: "%Temp%\wudhost.exe"

Spreads via...

Logical drives

It enumerates all logical drives and their subfolders in your computer. It looks for files with the following extensions:

  • .zip
  • .rar


If files of these types are found, this malware checks if the following file exists in your computer:

%ProgramFiles%\WinRar\WinRar.exe

If this file is found, this malware uses it to insert itself into zip and .rar files as a file named "setup.exe".

Peer-to-peer (P2P) sharing

This malware may drop copies of itself into the shared folder of the following P2P programs using the file name "Windows7 Crack v3.5.exe" or "Nero 10 HD Keygen 2011.exe":

  • BearShare
  • eDonkey
  • eMule
  • Grokster
  • ICQ
  • Kazaa
  • LimeWire
  • Morpheus
  • Shareaza
  • Tesla
  • WinMX


Network shares, and mapped and removable drives

It looks for network shares, where it copies itself as a file named "startme.exe". It also searches for mapped network drives and copies itself as "winadmin-setup.exe".

If it finds a removable drive in your computer, it copies itself to the drive as "autorun.exe", and creates a file named "autorun.inf" so that its copy automatically runs on a computer when the drive is accessed and if Autorun is enabled.

Torrent programs

If any of the following Torrent programs is installed in your computer, it seeds itself:

  • BitTorrent
  • uTorrent
  • Vuze Azureus


Payload

Allows backdoor access and control

It connects to the server "test.kerber0s.org" via HTTP to receive commands from a remote attacker. These commands may include, but are not limited to, the following:

  • Gather the following information about your computer:
    • Disk drive serial number
    • System drive details
    • Operating system
    • Processor architecture
    • Computer name
  • Start or stop flood attacks using SYN, UDP, HTTP, or ICMP protocol
  • Update itself
  • Download an arbitrary file and run it


Information stealer

It looks out for programs with window titles containing any of these strings; if found, it logs your keystrokes:

  • betclic
  • bwin
  • clickandbuy
  • credit card
  • dhl packstation
  • ebay
  • kreditkarte
  • neckermann
  • paypal
  • postbank
  • schwab versand
  • sparkasse
  • titan poker
  • wh poker


Changes computer settings

This malware disables Least User Access (LUA) on your computer. LUA is the policy behind User Access Control (UAC), which are the system alert messages that pop up on your computer when you try to run a program that requires administrator rights to run. This malware disables the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"

It also disables balloon pop-ups from your taskbar:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "EnableBalloonTips"
With data: "0"

It also sets the following registry entry to prevent the display of files marked as hidden, even if the option to view hidden files is enabled under 'Folder Options' in Windows Explorer:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "2"

Additional information

This malware does not run if it discovers itself being debugged, or running inside the Sandboxie program or an emulator. It might also stop running if it sees that the following programs are installed in your computer:

  • Cain
  • Filemon
  • Netmon
  • Netstat
  • Parallels Desktop
  • Procmon
  • Regmon
  • Tcpview
  • VirtualBox
  • VirtualPC
  • VMWare
  • Wireshark




Analysis by Gilou Tenebro

Last update 02 April 2013

 

TOP