Home / malware Backdoor:Win32/Wkysol.F
First posted on 01 February 2012.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Wkysol.F.
Explanation :
Backdoor:Win32/Wkysol.F is a backdoor trojan that allows remote access and control of an affected computer. The backdoor may steal information from the popular network games 'World of Warcraft' (also known as WoW) and 'Runescape'.
Top
Backdoor:Win32/Wkysol.F is a backdoor trojan that allows remote access and control of an affected computer. The backdoor may steal information from the popular network games 'World of Warcraft' (also known as WoW) and 'Runescape'.
This backdoor trojan has been observed to be installed when opening certain malicious PDF files that exploit a vulnerability affecting Adobe Reader and Acrobat. This malicious exploit in PDF files is detailed as an unspecified vulnerability in the U3D component in Adobe Reader and Acrobat and is further discussed in CVE-2011-2462.
Installation
Backdoor:Win32/Wkysol.F installs a malicious DLL component as %TEMP%\<NUMBER>.dll (for example, 148796.dll, 178578.dll, or 217187.dll).
It creates the following registry entries to ensure its copy executes at each Windows start:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "office"
With data: ""<system folder>\rundll32.exe" as %temp%\<NUMBER>.dll,s"
Payload
Backdoor:Win32/Wkysol.F will only execute its payload if backdoor DLL is loaded by either of the following processes:
- wow.exe (used by 'World of Warcraft')
- jagexlauncher.exe (used by 'Runescape')
Allows backdoor access and control
Backdoor:Win32/Wkysol.F has been observed to connect to attacker sites that are hard-coded in the binary. In the wild, we have observed it connecting to the following URLs via HTTP protocol.
- 74.82.172.185/wow/wow.asp
- w.noboost.net:88/msn.asp
- down.360safe.com/inst.exe
Once connected, and depending on the command, an attacker may download malware configuration and binary updates to %TEMP%\mpcore.txt and %TEMP%\ttcerg.txt. If the download is successful, the malware terminates its own process.
The malware may also steal credentials from a user-configuration file:
%wow path%\wtf\Config.wtf
where %wow path% is the location where the 'World of Warcraft' games are installed.
Steals information
Backdoor:Win32/Wkysol.F attempts to capture messages posted to the message queue, and send these details to a remote attacker. Data includes operating system details from the infected computer.
We have observed the malware connecting to the following limited URLs:
- hotcaronline.com/rs/msn.asp
- 74.82.172.185/rs/wow.asp
Analysis by Rodel Finones
Last update 01 February 2012