Home / malware Backdoor:Win32/Unskal.B
First posted on 07 November 2014.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Unskal.B.
Explanation :
Threat behavior
Installation
This threat installs itself to %APPDATA%\media player classic\mplayerc.exe. It sets the file attributes to read-only, hidden, and system.
It also creates an encrypted copy as %APPDATA%\settings.ini.
It can change the following registry entries so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Media Player Fast Start"
With data: "%APPDATA%\media player classic\mplayerc.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Media Player Fast Start"
With data: "%APPDATA%\media player classic\mplayerc.exe"
In subkey: HKCU\Software\Microsoft\Active Setup\Installed Components\
Sets value: "StubPath"
With data: "%APPDATA%\media player classic\mplayerc.exe"
In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\
Sets value: "StubPath"
With data: "%APPDATA%\media player classic\mplayerc.exe"
Payload
Steals your personal information
This threat can steal your personal information and send it to a malicious hacker, including your:
- Bank account numbers.
- PC name.
- User name.
It generates a unique id and saves it in the following registry:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion
Sets value: "identifier"
With data: "", for example "pnjezyo"
To gather the information the malware enumerates the running processes in the system. It parses each running processes and searches for possible account numbers. It excludes a number of files, including those with the follwowing hashes:
- 0BF1 - explorer
- 7C7E - chrome
- 3773 - firefox
- 0768 - iexplore
- 310A - svchost
- 0CC6 - smss
- 352E - csrss
- 3102 - wininit
- 0388 - devenv
- 0CED - winlogon
- 0364 - services
- 3F26 - lssas
- 3616 - spoolsv
- 3434 - alg
- 0884 - mscorsvw
- 0B9A - mysqld
- 72FD - wmiprvse
- 3D7D - LogonUI
- 07F1 - taskhost
- 3F85 - wuauclt
Connects to a remote server
This threat connects to a remote server to upload stolen information and receive instructions from a remote hacker. We have seen it connect to the following sites using port 443:
- kitchentools.ru/
/showtopic.php - cyclingtools.ru/
/showtopic.php - biketools.ru/
/showtopic.php
It can receive the following commands from a malicious hacker:
- Change the remote server it connects to.
- Downloads and run files. These files are saved to %TEMP%\
. - Terminate the injected thread and itself.
- Update itself.
- Uninstalls itself.
Additional information
This threat can create the following mutex:
- aMD6qt7lWb1N3TNBSe4N
It checks if a previous version of the malware exists in the system and removes it.
It then opens for the following mutex:
- nuyhnJmkuTgD
It injects code into explorer.exe.
The injected code monitors the main process. If the main process is terminated, it will decrypt its copy from settings.ini, create the file %APPDATA%\winservs.exe and then execute it.
Analysis by James Dee
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
%APPDATA%\media player classic\mplayerc.exe
- You see these entries or keys in your registry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Media Player Fast Start"
With data: "%APPDATA%\media player classic\mplayerc.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Media Player Fast Start"
With data: "%APPDATA%\media player classic\mplayerc.exe"
In subkey: HKCU\Software\Microsoft\Active Setup\Installed Components\
Sets value: "StubPath"
With data: "%APPDATA%\media player classic\mplayerc.exe"
In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\
Sets value: "StubPath"
With data: "%APPDATA%\media player classic\mplayerc.exe"
Last update 07 November 2014
