Home / malwarePDF  

Backdoor:Win32/Vawtrak.A


First posted on 21 May 2013.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Vawtrak.A.

Explanation :



Installation

When run, this backdoor malware drops its DLL component in %ALLUSERPROFILE%\AppData using a random file name with the DAT extension. Some of the file names it has been known to use are:

  • degwbxm.dat
  • dqxcovwm.dat
  • ejrtzpaz.dat
  • fvvifvwz.dat
  • iopwark.dat
  • uvfuvwog.dat
  • wthejcy.dat
  • xausgo.dat
  • zlbgqk.dat


The DLL file is then injected to a running process, for example, any of the following:

  • chrome.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe


This malware creates the following registry entry so that its DLL component automatically runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<DLL file name>"
With data: "regsvr32.exe /s "%ALLUSERSPROFILE%\AppData\<DLL file name>.dat""

For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "bqbclrtr"
With data: "regsvr32.exe /s "C:\Documents and Settings\All Users\Application Data\bqbclrtr.dat""



Payload

Changes Internet Explorer settings

This malware changes the following Internet Explorer settings:

  • Disables the home page warning message when Internet Explorer is opened for the first time:

    In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
    Sets value: "NoProtectedModeBanner"
    With data: "dword:00000001"

  • Sets tabs and frames to run within the same process in IE:

    In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
    Sets value: "TabProcGrowth"
    With data: "dword:00000000"

  • Lowers Internet zone security settings:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    Sets value: "2500"
    With data: "dword:00000003"

Allow a remote attacker to access your computer

This backdoor malware contacts a remote attacker by connecting to a certain server. Some of the servers it has been known to connect to are:

  • 188.190.126.87
  • 188.190.127.87
  • 195.137.188.50
  • 195.191.56.247
  • 195.210.47.173
  • afg.com.tw
  • countdown.com.tw
  • miison.com.tw


Once connected, the remote attacker may do the following:

  • Log your keystrokes
  • Take screenshots of your desktop
  • Open a remote command shell
  • Download and run arbitrary files
  • find out what processes are running in your computer
  • Get a list of your visited websites
  • Delete your browser cache
  • Delete arbitrary files
  • Steal digital certificates saved in your computer
  • Steal IE and Firefox cookies
  • Start or stop processes like IE, Firefox, Outlook, Windows Explorer, Command prompt, and Task Manager
  • Change Firefox settings


Steal information

This backdoor malware might steal information like your user name and password for certain websites. We have observed this malware to steal this information if you visit any of these websites:

  • caixaebanking.cgd.pt
  • chaseonline.chase.com


Note that the monitored websites might vary from sample to sample of this malware.

The stolen credentials are then sent to the remote attacker.



Analysis by Ric Robielos

Last update 21 May 2013

 

TOP

Malware :

Family: