|
|
|
VIRUS NAME
: BackDoor-AJX
Trojan
Characteristics
This trojan
masquerades as Internet Banking Software, whereas it is in fact a backdoor and
keylogging trojan. It opens up a port on the victim machine, and creates a log
file containing system information and keylogger output. It is multicomponent
in nature, consisting of nested SFX archives, a keyboard hooking DLL and batch
files.
At the time of writing AVERT has not received a sample of this from the field,
merely enquiries from customers.
Installation
The trojan is likely to arrive in the form of a single 444,416 byte executable
(a self-extracting archive). When run, the directory C:\BancoBrasil is created,
and a series of files are dropped into it. A dropped batch file is then run,
which moves some of these files before executing a second self-extracting archive.
The following file system changes are apparent following infection:
1. C:\BancoBrasil\BB Internet
Banking.htm (2,784 bytes)
2. C:\BancoBrasil\bb.bat (98 bytes)
3. C:\BancoBrasil\Setup.pif (967 bytes)
4. C:\BancoBrasil\Images\ (various GIFs, global.js)
5. %WinDir%\System\Setup.exe (413,696 byte SFX)
6. %WinDir%\System\DosPrmt.exe (728,064 bytes)
7. %WinDir%\System\Control.ini (78 bytes)
8. %WinDir%\System\ttwain.dll (44,544 bytes)
9. %WinDir%\System\lista.log (the keylogger output file)
10. %WinDir%\Desktop\BB Intnet Banking.lnk (shortcut to 1.)
The second SFX (setup.exe)
which is moved to %WinDir%\System and executed drops the core trojan component,
DOSPRMT.EXE and its accompanying files CONTROL.INI and TTWAIN.DLL.
Operation
Once running, DOSPRMT.EXE opens up a port on the victim machine (port 61000) and
issues a HTTP GET request for a Brazilian website. It builds a list of files in
the directory 'C:\WINDOWS\FAVORITOS' and adds the following Registry hook to run
at system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
"DOSPRMT.EXE" = C:\WINDOWS\SYSTEM\DOSPRMT.EXE
The LISTA.LOG logfile contains system information, a directory listing of C:\Windows\Favoritos
and a key log section:
***********************REINICIALIZADO*****************
------------------------------------------------------
I N F O R M A C O E S
------------------------------------------------------
Windows98SE
V3.VG
100.0.0.3
------------------------------------------------------
F A V O R I T O S
------------------------------------------------------
testfile.1
testfile.2
testfile.3
testfile.4
testfile.5
------------------------------------------------------
T E C L A S L O G A D A S
------------------------------------------------------
Note: if the folder C:\WINDOWS\FAVORITOS does not exist on the victim
machine, the Regsitry hook is not added, and nothing is written to LISTA.LOG.
Strings within DOSPRMT.EXE suggest that its backdoor activities may consist
of file transfer through the opened port.
DOSPRMT.EXE contains the string:
M|GhT contra engenharia Reversa huahuahahuhua!!!!
The CONTROL.INI file contains date and email parameters. The email address is
presumably that which the log is intended to be sent to (not observed in testing).
The date parameter ('Auto Deletar') is suggestive of a date upon which the trojan
removes itself from the system. Again, this was not observed in testing.
Symptoms
Existence of the above
mentioned files.
Port 61000 open on victim
machine.
Method
Of Infection
Via execution of a SFX archive, which drops another SFX archive plus accompanying
batch files.
|
|
|
