FRISK Software International


Summary of W32/Backdarter.A
Length: 900.088 bytes
Discovered: 2 Apr 2003
Definition files: 5 Apr 2003
Risk Level: Low
Distribution:Low
Infection Method:This backdoor package can spread via default network shares or installed as a stand-alone application
Payload: Compromises the security of a system when deployed, by allowing unauthorized access to it, and full support of unauthorized usage.
 
Jump to:
Brief description
Technical description

Brief Description
The W32/Backdarter.A is a fully functional backdoor package, providing unauthorized access to the users computer when deployed. Depending on the operating system the initial installer creates the following directories: Under Windows 9x/Me:

[[Windows_system_directory]\SYSTEM\DRIVERS\MEDIA\CAT32 ]
Under Windows NT/2000/XP
[[Windows_system_directory]\system32\drivers\media\cat32 ]

It creates the following registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Services"="[system_directory]\[System (Win9x/Me | System32 (Win2000/XP)\media\cat32\services.exe"

On Windows 2000/XP systems, it creates the additional registry key of:
[HKEY_USERS\{Current_user_id}\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"run"="[system_directory]\system32\drivers\media\cat32\services.exe]"


The services.exe is a slightly modified variant of the original mirc32.exe distributed with mIRC v. 5.91, in the context of W32/Backdarter.A it works as a connection point for various components included with the backdoor. After the installation routine has finished, services.exe is executed, leaving it running in memory. It sends out a DNS query to resolve the name of a remote IRC server and if it's successful makes an attempts to make a connection to that server, sending a notification that informs the operators of its presence.


Technical Description
The W32/Backdarter.A is a fully functional backdoor package. It has the capabilities to spread the backdoor through network-shares via simple brute-force attack against password protected shares, perform denial-of-service attacks, perform NetBIOS scanning and download additional files to the compromised system to name a few. When initial dropper for this backdoor is run, depending on the operating system, it creates the following directories:

Under Windows 9x/Me:
[[Windows_system_directory]\SYSTEM\DRIVERS\MEDIA\CAT32 ]
Under Windows NT/2000/XP
[[Windows_system_directory]\system32\drivers\media\cat32 ]


Depending on the operating system that the W32/Backdarter.A has been installed, it creates the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Services"="[system_directory]\[System (Win9x/Me | System32 (Win2000/XP)\media\cat32\services.exe"
On Windows 2000/XP systems, it creates the additional registry key of:
[HKEY_USERS\{Current_user_id}\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"run"="[system_directory]\system32\drivers\media\cat32\services.exe]"


In addition, the Delttsul.exe will drop a uninstall file under the name of "yes Uninstaller" to the system-directory. When run, depending on wether the backdoor is running as a process in memory will attempt to remove the files from the location they were initially dropped. However, running this uninstaller after the services.exe has been loaded into memory, will leave significant part of the backdoor still on the user harddrive, it does remove the RUN key from the registry.

After the installation routine has finished, services.exe is executed, leaving it running in memory. It sends out a DNS query to resolve the name of a remote IRC server and if it's successful makes an attempts to make a connection to that server, sending a notification that informs the operators of its presence.

The files dropped by the installer are as follows:

Delttsul.exe:

Identical copy to the initial dropper, it's an Astrum-install archive, with the size of 900.088 bytes.

doskey.exe:

This is a tool used to hide any window on the desktop from the user. Written in C++, this program has the constant size of 40.960 bytes. Although not malicious as such, this tool is deployed by various backdoors. This file is detected as "W32/Hidewnd.component".

faxocm.bat:

This is a simple BAT script, which performs a simple method of trying to access the default "Admin share" commonly found on Windows 2000/XP systems using couple of standard passwords. If the attempt is successful and access is gained, it copies the Delttus.exe archive to that share and remotely executes it.

hlink.bat:

This is a BAT script, intended to remove pre-defined network shares if they exists, amongst those are the default "Admin share" mentioned above, along with shares of 6 drives (c:, d:, e:, f:, g:, h:) and the "IPC$" share.

msdart32.dll:

This file, contains information used by the IRC component of this backdoor.

ntbooks.exe:

This is a process viewer, intended for use on Windows based systems. Originally developed by Igor Nys, this tool is not malicious and not detected by F-Prot. Amongst the options this programs provides, is the shutting down of processes, retrival of startup environment for the processes and activating a process to name a few.

ntds.dit:

This is a mIRC based DLL, which provides support for a redirection of programs input/output which are executed from within mIRC, in the context of this backdoor, it's used to call and execute external functions, hiding the input/output from the user. The version distributed with the W32/Backdarter.A is not malicious and therefore not detected by F-Prot.

oissq400.dll:

The oissq400.dll is a complex mIRC-based script, containing the core elements of the backdoor. Its purpose is to connect the various components of this backdoor together providing the backdoor with additional functionality. It has functions to call most of the components found with this backdoor, along with providing them with the relevant parameters. Although it handles many functions, such as LAN-spreading, NetBIOS scanning and denial-of-service attack by calling external components which are part of this backdoor, it provides certain features on its own. It can download files from remote locations, using the HTTP protocol and execute them, along with a built-in BNC connection script.

rcfg.ini:

The rcfg.ini file, is a modified version of the mirc.ini file shipped with mIRC version 5.9. It contains the information needed for mIRC to function correctly.

services.exe:

Services.exe is a slightly modified version of the original mirc32.exe file, distributed with the 5.91 version of mIRC. It's compressed with AsPack and has the size of 526.848 bytes. Although slightly modified, those modifications do not alter in any significant way the internal functionality of this application when compared with the original mirc32.exe. The changes mostly lie within the configuration files mentioned above. This file is detected as "W32/Backdarter.A".

Tapi.exe:

The Tapi.exe is a standard utility released by SysInternal under the name of psexec.exe, which has the ability to execute programs remotely. The size of Tapi.exe is 122.880 bytes. It's used in conjunction with the faxocm.bat for example. F-Prot does not detect this application, since it's not malicious.

termsrv.exe:

The termsrv.exe is a denial-of-service tool, which floods the target with forged SYN packages, and has the size of 40.960 bytes. A detailed description of this tool is available from the the following location. The termsrv.exe is detected as "W32/Synflood.nenet".

tifflt.dll:

The tifflt.dll contains list of broadcast address for various IP networks. It's used in conjuction with the oissq400.dll to choose a random network for NetBIOS scanning.

TIMER.bat:

The TIMER.bat is a clean-up script for this backdoor, it attempts to remove the file originally dropped by the Delttsul.exe archive.

usrmgr.exe:

The usrmgr.exe is the second denial-of-service component found within this backdoor, its size is 53.760 bytes. This tool sends out specially crafter IGMP packages (Internet Group Managment Protocol) which like ICMP (Internet Control Message Protocol) are encapsulated within an IP datagram and sent acroos networks. This tool provides options for constructing IGMP packages of various sizes, along with specifying the target and amount of packets to be sent. This type attack usually aims at clogging the network resources avilable to the target. Although this tool tends to construct corrupted packets, with invalid checksums and corrupted header, that does not rule out the overall effect of the denial-of-service attack this tool can perform. This tool is detected by F-Prot as: "W32/Igmp.bomber"



Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is