Home>Trojan Programs> Backdoors>

Backdoor.Win32.Prexot.a

Alert Level :	Medium
Discovered:	Jan 28 2006
Tag:	Backdoors
Discoverer and Source:	http://www.kaspersky.com/

Malware Behavior and Technical Description

This Trojan makes it possible to remotely adminster the computer. It also contains network worm functionality.

The backdoor itself is a Windows PE EXe file 130023 bytes in size, packed using CryptExe.

Installation

Once launched, the backdoor copies itself to the Windows root directory under the following names:

%Windir%\msdef.exe
%Windir%\services.exe

It then registers itself in the system registry, ensuring that the backdoor will be launched each time Windows is rebooted on the victim machine:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "RPCser32g"="%Windir%\services.exe"

The backdoor also modifies the system registry keys listed below. This blocks the Shared Access service.

[HKLM\System\CurrentControlSet\Services\SharedAccess]
 "Start"="4"

It also modifies the registry keys listed below:

[HKCU\Software\Microsoft\Internet Explorer]
 "IEPgfsgdc"="1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies]
[HKLM\Software\Microsoft\Windows\CurrentVersion\policies]
 "DisableRegistryTools"="0"

Propagation via the Internet

Prexot.a selects IP addresses to attack and sends a request to TCP port 445. If the remote machine responds, the backdoor will launch its code on the victim machince using the Plug and Play or the LSASS vulnerability.

Remote administration

Prexot.a opens a randomly chosen TCP port in order to receive commands. The backdoor gives a remote malicious user full access to the victim machine.

Other

Prexot.a modifies the %System%\drivers\etc\hosts file by adding the text below. This means that the user is unable to access the sites listed below via the victim machine.

127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 oxyd.fr
127.0.0.1 pandasoftware.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 t35.com
127.0.0.1 t35.net
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 virustotal.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.oxyd.fr
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.t35.com
127.0.0.1 www.t35.net
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.virustotal.com

The program also terminates the processes listed below:

_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
b055262c.dll
backdoor.rbot.gen.exe
backdoor.rbot.gen_(17).exe
CFIAUDIT.EXE
dailin.exe
DRWEBUPW.EXE
F-AGOBOT.EXE
GfxAcc.exe
HIJACKTHIS.EXE
IAOIN.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
Lien Van de Kelderrr.exe
LUALL.EXE
MCUPDATE.EXE
msnmsgr.exe
msssss.exe
NUPGRADE.EXE
NUPGRADE.EXE
rasmngr.exe
RAVMOND.exe
RB.EXE
Systra.exe
taskmanagr.exe
UPDATE.EXE
VisualGuard.exe
wfdmgr.exe
WIN32.EXE
WIN32US.EXE
WINACTIVE.EXE
WIN-BUGSFIX.EXE
WINDOW.EXE
WINDOWS.EXE
WININETD.EXE
WININIT.EXE
WININITX.EXE
WINLOGIN.EXE
WINMAIN.EXE
WINPPR32.EXE
WINRECON.EXE
winshost.exe
WINSSK32.EXE
WINSTART.EXE
WINSTART001.EXE
WINTSK32.EXE
WINUPDATE.EXE
WKUFIND.EXE
WNAD.EXE
WNT.EXE
wowpos32.exe
WRADMIN.EXE
WRCTRL.EXE
wuamga.exe
wuamgrd.exe
WUPDATER.EXE
WUPDT.EXE
WYVERNWORKSFIREWALL.EXE
XPF202EN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
ZONALM2601.EXE
ZONEALARM.EXE

It also download a file named upx.exe from the following addresses.

http://***google.biz
http://4***scripts.com
http://***ogle.com

Kaspersky Anti-Virus will detect this file as Backdoor.Win32.Surila.ak

This file will be saved to the victim machine and then launched for execution.

0

Removal Backdoor.Win32.Prexot.a instructions:

0

Need help? Live computer support via remote at SupportSpace.Help with printer problems, windows, hardware, software, spyware removal and more. - Go Now!

Great Anti-Virus Software : Kaspersky Internet Security 2009 Save 35% Buy Panda Global Protection 2009 and Panda Antiviru Download PandaLabs Reports Free AVG virus removel tools Hunting Down Spyware and Adware Adware and spyware, knowing the basics Adware Spyware Remover from CBAdvance Keeping Your Computer in Good Condition Using Free Spyware A Beware of Covert Online Spies Why the Need to Remove Adware and Spyware