Home / malwarePDF  

Backdoor:Win32/Cucirk.A


First posted on 15 February 2012.
Source: Microsoft

Aliases :

Backdoor:Win32/Cucirk.A is also known as Trojan/Win32.PcClient (AhnLab).

Explanation :

Backdoor:Win32/Cucirk.A is a trojan that allows backdoor access and control. It can also terminate security-related applications and firewall programs.


Top

Backdoor:Win32/Cucirk.A is a trojan that allows backdoor access and control.



Installation

Backdoor:Win32/Cucirk.A may be dropped by any of the following malware:

  • TrojanDropper:Win32/Cucirk.A
  • TrojanDropper:Win32/Cucirk.B


Backdoor:Win32/Cucirk.A may have the following file name:

%AppData%\Recycler.DLL

It may run using any of the following methods:

  • TrojanDropper:Win32/Cucirk.A drops a file named <startup folder>\windows security center.lnk, which links back to %AppData%\Recycler.DLL
  • TrojanDropper:Win32/Cucirk.B drops a file named <startup folder>\windows security center.exe, which runs %AppData%\Recycler.DLL


It creates the following registry entry as part of its installation routine:

In subkey: HKLM\SOFTWARE\DsExplain\
Sets value: "Explain"
With data: "07 59 E8 6C E1 4F 6F 60 00 00"



Payload

Terminates security applications

Backdoor:Win32/Cucirk.A is capable of terminating the following security applications:

  • 360 Antivirus
  • AntiVir
  • Avast Antivirus
  • AVG Antivirus
  • BitDefender
  • Dr.Web
  • Ewido Security Suite
  • F-Secure
  • Jiangmin Antivirus
  • Kaspersky Antivirus
  • Kingsoft Internet Security 2008
  • McAfee VirusScan
  • Nod32 Antivirus 2.x
  • NOD32 Antivirus 3.x
  • Panda Antivirus/Firewall
  • PC-cillin Antivirus
  • Rising Antivirus 2008
  • Symantec/Norton


Backdoor:Win32/Cucirk.A disables the following firewall applications:

  • 360Safe AntiArp
  • BitDefnder/Bull Guard Antivirus
  • Comodo Firewall
  • eTrust EZ Firewall
  • F-Secure Internet Security
  • McAfee Personal Firewall
  • Norton Personal Firewall
  • Outpost Personal Firewall
  • Panda Anti-Virus/Firewall
  • Panda Internet Seciruty Suite
  • Rising Firewall
  • ZoneAlarm


Allows backdoor access and control

Backdoor:Win32/Cucirk.A can connect to several servers to receive commands from a remote attacker. The list of servers includes, but is not limited to, the following:

  • 219.<removed>47.205.147
  • yf07<removed>.oicp.net
  • zygc<removed>302903.gicp.net


Once connected, it can send the following information about the affected computer to the remote attacker:

  • Available drives
  • Computer name
  • Free disk space
  • Installed memory
  • Operating system version
  • Processor speed
  • Service pack version
  • System settings


It can also perform the following actions:

  • Capture webcam stream
  • Download a new malware binary
  • Log keystrokes
  • Open a command shell




Analysis by Patrick Estavillo

Last update 15 February 2012

 

TOP

Malware :

Family: