Home / malwarePDF  

Backdoor:Win32/Wkysol


First posted on 25 January 2012.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Wkysol.

Explanation :

Backdoor:Win32/Wkysol is a family of malware that allows backdoor access and control of an affected computer. This backdoor trojan has been observed to be installed when opening certain malicious PDF files that exploit a vulnerability affecting Adobe Reader and Acrobat. This malicious exploit in PDF files is detailed as an unspecified vulnerability in the U3D component in Adobe Reader and Acrobat and is further discussed in CVE-2011-2462.


Top

Backdoor:Win32/Wkysol is a family of malware that allows backdoor access and control of an affected computer. This backdoor trojan has been observed to be installed when opening certain malicious PDF files that exploit a vulnerability affecting Adobe Reader and Acrobat. This malicious exploit in PDF files is detailed as an unspecified vulnerability in the U3D component in Adobe Reader and Acrobat and is further discussed in CVE-2011-2462.



Installation

Backdoor:Win32/Wkysol normally consists of two separate components:

  • Installer component: Installs the auto start routine, dropper and injector of the malicious DLL
  • Malicious DLL: Contains the backdoor payload


It drops copies of itself in the <local settings> folder, for example:

  • Help.exe
  • Pretty.exe
  • Auto.exe


Note: This list is not exhaustive.

Backdoor:Win32/Wkysol searches for 'explorer.exe', then, when found, copies the privileges associated with this file.

The malware makes the following changes to the registry to ensure that its copy executes at each Windows start:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: 'start'
Sets value: 'office'
With data: Documents and Settings\<username>\Local Settings\<dropped copy>

Variants of this malware can also delete the original Win32/Wkysol files, running processes and registry entries.



Payload

Allows backdoor access and control

Backdoor:Win32/Wkysol allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Wkysol. This could include, but is not limited to, the following actions:

  • Delete files
  • Download and execute arbitrary files
  • Modify port number of a computer's terminal server
  • Modify system settings
  • Retrieve proxy server information
  • Run or terminate applications
  • Upload files


Injects code into processes

On execution, the installer component drops its DLL component into the <local settings> folder.

The DLL is then injected into the following processes:

  • outlook.exe
  • iexplorer.exe
  • firefox.exe


Contacts remote hosts

In the wild, we have observed Win32/Wkysol contacting the following remote hosts:

  • racin<removed>ax.com/asp/kys_allow_get.asp
  • prett<removed>ikeher.com/asp/kys_allow_get.asp
  • welld<removed>e123.net/kys_allow_get.asp


Malware may do this for any number of purposes; we observed Backdoor:Win32/Wkysol contacting these hosts in order to update its components.

Terminates processes

Backdoor:Win32/Wkysol terminates specified processes, including those related to particular security applications, should they be running on an affected computer. It may also terminate itself after execution.



Analysis by Patrick Estavillo

Last update 25 January 2012

 

TOP

Malware :