|
Sunday, 15 January 2006 |
Backdoor.Rustock is a back door program that allows a compromised computer to be used as a covert proxy. It uses rootkit techniques to hide any files and registry subkeys it creates.
Also Known As: Troj/Mipbot-B [Sophos]
Type: Trojan Horse
Systems Affected: Windows 2000, Windows NT, Windows Server 2003, Windows XP
Damage
Payload Trigger: n/a
Payload: Opens a back door.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: Injects a .dll into a process.
Degrades performance: Opens a covert proxy which may degrade performance.
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP Port 25
Shared drives: n/a
Target of infection: n/a
When Backdoor.Rustock is executed, it performs the following actions:
Creates the following files:
%System%driversI386P.SYS
%System%MSCTL32.DLL
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Adds the values:
"Asynchronous" = "1"
"DllName" = "[NAME_OF_TROJAN_DLL].DLL"
"Impersonate" = "0"
"Startup" = "Startup"
to the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
WinlogonNotifymsctl32.dll
so that it is executed every time Windows starts.
Creates an hidden device service with the following characteristics:
Display Name: i386p
Image Path: %System%driversI386P.SYS
Note: This device is a kernel-mode rootkit that enables the Trojan to hide the files and registry subkey it creates. It may also play a role in any attempt by the Trojan to steal sensitive information.
Injects the dropped.dll into WINLOGON process.
It may download and install ICQ program:
[http://]ftp.icq.com/pub/ICQ_WIN95_98_NT4/[REMOVED]/icq5_setup.exe
The back door then opens a covert proxy on a randomly-chosen TCP port on the infected computer.
Attempts to contact the following sites to download files and some configuration:
[http://]ftp.skystockfinance.cc/[REMOVED]
[http://]https.enjoyfit2006.biz/[REMOVED]
[http://]www2.firemonk2006.com/[REMOVED]
It may contact the following SMTP hosts using port 25:
mxs.mail.ru
smtp.yandex.ru
maila.microsoft.com
To delete the value from the registry:
Navigate to and delete the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
WinlogonNotifymsctl32.dll
Navigate to and delete the subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesi386p
Exit the Registry Editor.
|
