Hot Articles

Backdoor.Win32.Landis.b

tag:Backdoors  

0 0

This Trojan provides a remote malicious user with access to the victim machine. The Trojan is controlled via IRC channels.

The Trojan itself is a Windows PE EXE file approximately 113KB in size.

Installation

When installing, the Trojan creates a folder in the Windows system directory under a random name. It then copies itself to this folder as "csrss.exe":

%System%\drtusi\csrss.exe

It also creates the following files in the same file:

%System%\drtusi\csrss.dat
%System%\drtusi\csrss.ini

The original exe file will then be deleted.

The program then creates a shortcut to itself in the Autorun directory:

%UserProfile%\Start Menu\Programs\Startup\csrss.lnk

It also registers itself in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"csrss" = " "

and adds the following registry values:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Load" = "%System%\<random folder name>\csrss.exe" 
"Run" = "%System%\<random folder name>\csrss.exe"

In Windows95/98/ME the program modifies win.ini by adding the following strings to this file:

load = %System%\<random folder name>\csrss.exe
run = %System%\<random folder name>\csrss.exe

It also creates the following registry values:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2" 
"SuperHidden" = "0" 
"ShowSuperHidden" = "0" 
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1" 
"NoAdminPage" = "1"
Payload The backdoor establishes a connection with a number of IRC servers in order to receive commands from the remote malicious user. Commands used offer complete control over the infected machine, the ability to conduct attacks on other computers, download files etc.

In addition to the above, the backdoor has the following functionality:

  • propagate via MSN Messenger channels on command from the remote malicious user. Messages urge the recipient to download a copy of the backdoor, while sending a seemingly innocent link: http://www.vbulettin.com/[removed], which is very similar to the address of Virus Bulletin, thereby leading the user to trust this link
  • downloading and launching a range of files on the victim machine
  • deleting files
  • terminating a range of active processes
  • causing the victim machine to reboot
  • conducting DoS attacks
  • sending the remote malicious user details of the infected system, including passwords and other confidential information entered via the keyboard
  • executing a range of commands on the victim machine
  • downloading updates to itself
  • etc.
      • Other

      The backdoor modifies "%System%\drivers\etc\hosts" by appending the text below. This will block access to the following sites:

      127.0.0.1 avp.com
127.0.0.1 www.avp.com
127.0.0.1 ca.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 fastclick.net
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com
127.0.0.1 www.awaps.net
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www3.ca.com
127.0.0.1 www.grisoft.com
127.0.0.1 grisoft.com
127.0.0.1 housecall.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 pandasoftware.com
127.0.0.1 kaspersky.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.zonelabs.com
127.0.0.1 zonelabs.com
127.0.0.1 www.spywareinfo.com
127.0.0.1 spywareinfo.com
127.0.0.1 www.merijn.org
127.0.0.1 merijn.org

      Landis.b terminates processes which contain the following text strings in their names:

      msconfig.exe 
kav.exe 
kavsvc.exe 
mcvsshld.exe 
mcagent.exe 
mcvsrte.exe 
mcshield.exe 
mcvsftsn.exe 
mcdash.exe 
mcvsescn.exe 
mcinfo.exe 
mpfagent.exe 
mpftray.exe 
mpfservice.exe 
mskagent.exe 
mcmnhdlr.exe 
sndsrvc.exe 
usrprmpt.exe 
ccapp.exe 
ccevtmgr.exe 
spbbcsvc.exe 
ccsetmgr.exe 
symlcsvc.exe 
npfmntor.exe 
navapsvc.exe 
issvc.exe 
ccproxy.exe 
navapw32.exe 
navw32.exe 
smc.exe 
outpost.exe 
zlclient.exe 
vsmon.exe 
isafe.exe 
pandaavengine.exe 
msblast.exe 
penis32.exe 
teekids.exe 
bbeagle.exe 
d3dupdate.exe 
sysmonxp.exe 
i11r54n4.exe 
irun4.exe 
mscvb32.exe 
sysinfo.exe 
mwincfg32.exe 
wincfg32.exe 
winsys.exe 
zapro.exe 
winupd.exe 
enterprise.exe 
regedit.exe 
hijackthis.exe 
gcasdtserv.exe 
gcasserv.exe 
pcctlcom.exe 
tmntsrv.exe 
tmproxy.exe 
pccguide.exe 
tmpfw.exe 
pcclient.exe

      It also deletes the following system registry values:

      [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CleanUp]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MCAgentExe]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VirusScan Online]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SmcService]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Outpost Firewall]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gcasServ]
[HKLM\Softwsre\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client]

©Virus-Encyclopedia.com All Rights Reserved.