Home / malwarePDF  

Trojan:Win64/Bledoor.A


First posted on 13 July 2012.
Source: Microsoft

Aliases :

Trojan:Win64/Bledoor.A is also known as Trojan-Dropper.Win64.Winnti.a (Kaspersky), Trojan.Bledoor!b9ZV1QcfA80 (VirusBuster).

Explanation :



Trojan:Win64/Bledoor.A is a trojan that changes your computer's settings so it may run any DLL file, even potentially malicious ones. It also connects to certain servers to receive commands from a remote attacker.



Installation

Trojan:Win64/Bledoor.A copies itself into your computer as:

<system folder>\pciexij.dll

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Trojan:Win64/Bledoor.A can change the following registry entry to make sure that its copy is loaded by each Windows-based program:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
Sets value: "AppInit_DLLs"
With data: "pciexij.dll"

More information about the AppInit_DLLs registry value can be found here.

Trojan:Win64/Bledoor.A injects itself into the "svchost.exe" process. It hooks the following APIs inside the "svchost.exe" process:

  • SetConsoleCtrlHandler
  • RegisterServiceCtrlHandlerExW
  • RegisterServiceCtrlHandlerW


It creates the following registry entry as part of its installation routine:

In subkey: HKLM\SOFTWARE\Microsoft\HTMLHelp\
Sets value: "data"
With data: "<random characters>"



Payload

Changes computer settings

Trojan:Win64/Bledoor.A sets the following registry entry to enable the use of AppInit_DLLs:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "LoadAppInit_DLLs"
With data: "1"

It also sets the following registry entry to load any DLL file, even potentially malicious ones:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "RequireSignedAppInit_DLLs"
With data: "0"

Connects to certain servers

Trojan:Win64/Bledoor.A opens and listens in to certain ports, for example, TCP port 443 and UDP port 444. It may then connect to certain servers, such as the following, to receive instructions from a remote attacker:

  • ad.jcrsoft.com
  • sshd.8866.org
  • tcp.nhntech.com




Analysis by Andrei Florin Saygo

Last update 13 July 2012

 

TOP