You Are Reading



ArryCode Sunday, February 13, 2011 ,

Type: Backdoor Server
Reported Infections: Low to medium
Distribution Potential: Medium to high
Damage Potential: Medium

Methods of propagation:
   • Autorun feature
   • Infects files

Side effects:
   • Drops malicious files
   • Infects files
   • Registry modification

It copies itself to the following locations:
   • %PROGRAM FILES%\Microsoft\DesktopLayer.exe
   • %drive%\RECYCLER\DesktopLayer.exe

The following file is created:
– %drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

It tries to execute the following files:
– Filename:
   • %PROGRAM FILES%\Microsoft\DesktopLayer.exe
– Filename:
   • %PROGRAM FILES%\Internet Explorer\IEXPLORE.EXE

By file type:
   • html (+92642) -> VBS/Inor.J
   • exe (+47616) -> W32/Ramnit.A
   • dll (+47616) -> W32/Ramnit.A

 Registry The following registry key is changed:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • "Userinit"="%SYSDIR%\userinit.exe,,%PROGRAM FILES%\microsoft\desktoplayer.exe"

Backdoor Contact server:
All of the following:
   • fge**********.com:443 (TCP)
   • 74.125.**********.105:80 (TCP)

 Injection – It injects itself as a remote thread into a process.
    Process name:
   • iexplore.exe

Miscellaneous  Checks for an internet connection by contacting the following web sites:

It creates the following Mutex:
   • KyUffThOkYwRRtgPP

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.


Copyright 2010 ArryCode_Blog