Infection Channel: Dropped by other malware
This malware is a backdoor with the primary purpose of stealing information from online transactions. The list of the monitored URLs can also be dynamically updated by a cybercriminal. It also has features to enable it to run on Windows Vista and Windows 7.
To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.
This backdoor may be dropped by other malware.
It executes commands from a remote malicious user, effectively compromising the affected system.
File size: Varies
File type: JS
Memory resident: Yes
Initial samples received date: 08 Mar 2012
Payload: Compromises system security
Arrival Details
This backdoor may be dropped by the following malware:
Backdoor Routine
This backdoor executes the following commands from a remote malicious user:
- !storage! – retrieves the stored passwords of the browser where this malware is running, and sends it to the C&C server
- !block! – set the registry entry HKEY_CURRENT_USER\UDP !block!
- !screen! – set the registry entry HKEY_CURRENT_USER\UDP !screen!
- !filter! – set the registry entry HKEY_CURRENT_USER\UDP !filter!
- !alt! – set the registry entry HKEY_CURRENT_USER\UDP !alt! which would contain the alternate C&C servers
- !tickit! – set the registry entry HKEY_CURRENT_USER\UDP !tickit!
- !content! – create the registry key HKEY_CURRENT_USER\UDP\c and set registry entries in it
- !reder! – create the registry key HKEY_CURRENT_USER\UDP\r and set registry entries in it
- !cmd! – download a file and execute it
- !kill! – delete the files C:\boot.ini, %System%\dllcache\userinit.exe and %System%\userinit.exe, and forcefully restarts the PC
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
NOTES:
It gets the C&C server from the following registry entries:
HKEY_CURRENT_USER\UDP
g = "{obfuscated C&C server URL}"
HKEY_CURRENT_USER\UDP
!alt! = "{obfuscated alternate C&C server URLs}"
When the browser loads a web page, it checks if the URL is defined in HKEY_CURRENT_USER\UDP\c. If the URL is defined, it injects HTML with JavaScript codes to the loading web page.
It checks if the URL is defined in the following registry entry:
HKEY_CURRENT_USER\UDP
!block! = "{list of URLs to block}"
If it is found in !block!, the URL is blocked and redirected to another URL defined in the following registry entry:
HKEY_CURRENT_USER\UDP
!reder! = "{list of URLs to redirect to}"
It hooks to submit, click, and keypress events. When a form is submitted, it sends the target URL with all the form data to the C&C server. When a button or link is clicked, the target URL is sent to the C&C server. When a keypress event is detected and the pressed key is Entering, the target URL together forms data (if the Enter key is used to submit a form) and is sent to the C&C server.
This JavaScript runs under Mozilla Firefox.
Connect with us on
| | | |