Home / malware Backdoor:Win32/Caphaw.A
First posted on 22 November 2011.
Source: SecurityHomeAliases :
Backdoor:Win32/Caphaw.A is also known as Backdoor.Win32.Caphaw (Ikarus).
Explanation :
Backdoor:Win32/Caphaw.A is a trojan that allows unauthorized access and control of an affected computer.
Top
Backdoor:Win32/Caphaw.A is a trojan that allows unauthorized access and control of an affected computer.
Installation
When executed, Backdoor:Win32/Caphaw.A makes a copy of itself in a variable location, such as the following:
- %AppData%\adobe\linguistics\dictionaries\adobe custom dictionary\all\
- %AppData%\adobe\linguistics\dictionaries\adobe custom dictionary\eng\
- %AppData%\microsoft\cryptneturlcache\metadata\
- %AppData%\microsoft\drm\
- %AppData%\microsoft\excel\xlstart\
- %AppData%\microsoft\internet explorer\
- %AppData%\microsoft\office\
- %AppData%\microsoft\word\
with a variable file name such as any of the following:
- csrss.exe
- eventvwr.exe
- expand.exe
- ie4uinit.exe
- mem.exe
- mobsync.exe
- qappsrv.exe
- route.exe
- rundll32.exe
- winmine.exe
Note that legitimate files also named "csrss.exe" and "rundll32.exe" exist by default in the Windows system folder.
The malware creates approximately 20 mutexes named "MTX_<random hex number>" (for example, "MTX_9F5977F52104E883ACC0E9DEACC0E9DE").
It modifies the registry to ensure it runs at each Windows restart:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random CLSID>" (for example, {FAD5ADC3-DABB-6BFF-ED11-CB329C7D70E2})
With data: "<full installation path>" (for example "%AppData%\Microsoft\Excel\xlstart\winmine.exe")
It deletes itself after it has performed its malicous routine by running a BAT file that it also drops. To run the BAT file, it runs the following command:
<system folder>\cmd.exe /c <install folder>\7.TMP.BAT
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Backdoor:Win32/Caphaw.A injects itself into the following processes to hinder detection and removal:
- firefox.exe
- iexplore.exe
- explorer.exe
- reader_sl.exe
Payload
Allows backdoor access and control
Backdoor:Win32/Caphaw.A attempts to communicate using TCP port 443 to certain servers, such as the following:
- web<removed>es.cc
- exte<removed>adv.cc
- no<removed>here.cc
- commonworld<removed>.cc
An attacker can perform any number of different actions on an affected computer infected with this threat, such as:
Additional information
- Control of the system desktop, which allows the attacker to see the desktop, and to gain control of the mouse and keyboard
- Access to files and folder via a internal FTP server
- Redirect Internet traffic via a proxy server
- Send ICMP packets that can be used in distributed denial-of-service (DDoS) attacks
- Log and redirect web traffic from Mozilla Firefox and Internet Explorer
- Update itself
- Shut down or restart the computer
This threat has been observed spreading as a post on users' Facebook walls:
Analysis by Mihai Calota
Last update 22 November 2011
