FANDOM


This threat can give a malicious hacker access to the user's PC. It can also steal their personal information, such as their user names and passwords for some banking websites. 

Behavior

Installation

When run, this threat drops a DLL component in %ALLUSERPROFILE%\AppData using a random file name with a DAT extension. Some of the file names it has been known to use are:

  • degwbxm.dat
  • dqxcovwm.dat
  • ejrtzpaz.dat
  • fvvifvwz.dat
  • iopwark.dat
  • uvfuvwog.dat
  • wthejcy.dat
  • xausgo.dat
  • zlbgqk.dat

The DLL file is then injected into a running process, for example, any of the following:

  • chrome.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe

This threat creates the following registry entry so that its DLL component automatically runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "<DLL file name>"
With data: "regsvr32.exe /s "%ALLUSERSPROFILE%\AppData\<DLL file name>.dat""

For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "bqbclrtr"
With data: "regsvr32.exe /s "C:\Documents and Settings\All Users\Application Data\bqbclrtr.dat""

Payload

Changes Internet Explorer settings

This threat changes the following Internet Explorer settings:

  • Disables the home page warning message when Internet Explorer is opened for the first time:In subkey: HKCU\Software\Microsoft\Internet Explorer\Main

Sets value: "NoProtectedModeBanner"
With data: "dword:00000001"

  • Sets tabs and frames to run within the same process in IE:In subkey: HKCU\Software\Microsoft\Internet Explorer\Main

Sets value: "TabProcGrowth"
With data: "dword:00000000"

  • Lowers Internet zone security settings:In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Sets value: "2500"
With data: "dword:00000003" Lets a malicious hacker access your PC

This backdoor threat contacts a malicious hacker by connecting to a certain server. Some of the servers it has been known to connect to are:

  • 188.190.126.87
  • 188.190.127.87
  • 195.137.188.50
  • 195.191.56.247
  • 195.210.47.173
  • afg.com.tw
  • countdown.com.tw
  • miison.com.tw

Once connected, the malicious hacker can do any of the following:

  • Log your keystrokes
  • Take screenshots of the user's desktop
  • Open a remote command shell
  • Download and run files
  • Find out what processes are running in the user's PC
  • Get a list of the user's visited websites
  • Delete your browser cache
  • Delete files
  • Steal digital certificates saved in the user's PC
  • Steal IE and Firefox cookies
  • Start or stop processes like IE, Firefox, Outlook, Windows Explorer, Command prompt, and Task Manager
  • Change Firefox settings

Steal information

This backdoor threat can steal information such as the victim's user names and passwords for certain websites. We have observed this threat to steal this information if the user visits any of these websites:

  • caixaebanking.cgd.pt
  • chaseonline.chase.com

Note that the monitored websites can vary.

This threat also tries to steal cached passwords and keywords from Internet Explorer.

It also tries to steal stored user name and password information from these programs, which are mostly file transfer and email programs:

  • 32BitFtp
  • 3D-FTP
  • ALFTP
  • AceBIT
  • BitKinex
  • BlazeFtp
  • Bullet Proof FTP
  • COREFTP
  • CUTEFTP
  • ClassicFTP
  • CoffeeCup Software
  • Cryer
  • Cyberduck
  • DeluxeFTP
  • Directory Opus
  • EasyFTP
  • ExpanDrive
  • FFFTP
  • FTP CONTROL
  • FTP Commander
  • FTP Explorer
  • FTP Navigator
  • FTP++.Link
  • FTPGetter
  • FTPInfo
  • FTPNow
  • FTPRush
  • FTPShell
  • FTPVoyager
  • Far FTP Plugin
  • FastStone Browser
  • FileZilla
  • FlashFXP
  • Fling
  • FreshFTP
  • Frigate3
  • Global Downloader
  • GoFTP
  • Leapftp
  • LeechFTP
  • LinasFTP
  • Martin Prikryl
  • Mozilla Thunderbird
  • My FTP
  • NetDrive
  • NetSarang
  • NexusFile
  • Notepad++
  • NovaFTP
  • Odin
  • Pocomail
  • PuTTY
  • Remote Desktop
  • RimArts
  • Robo-FTP
  • SecureFX
  • SmartFTP
  • SoftX.org
  • Staff-FTP
  • TurboFTP
  • UltraFXP
  • Visicom Media
  • WS_FTP
  • WebDrive
  • WinFTP
  • WinZip FTP
  • Windows Commander
  • Windows Mail

The stolen credentials are then sent to the malicious hacker.

Prevents the user's AV software from running

This backdoor threat makes changes to the user's software restriction policies, which prevents certain AV software from running on their PC. If the user have any of these AV software installed, they might not be running as expected:

  • a-squared Anti-Malware
  • a-squared HiJackFree
  • Agnitum
  • Alwil Software
  • AnVir Task Manager
  • ArcaBit
  • AVAST Software
  • AVG
  • Avira
  • BitDefender
  • BlockPost
  • DefenseWall HIPS
  • DrWeb
  • ESET
  • F-Secure
  • FRISK Software
  • G Data
  • K7 Computing
  • Kaspersky Lab
  • Lavasoft
  • McAfee
  • Norton AntiVirus
  • Online Solutions
  • P Tools
  • Panda Security
  • Positive Technologies
  • Sandboxie
  • Security Task Manager
  • Spyware Terminator
  • Sunbelt Software
  • Symantec
  • Trend Micro
  • UAenter
  • Xore
  • Zillya Antivirus
Community content is available under CC-BY-SA unless otherwise noted.