Home / malware Backdoor:Win32/Moudoor
First posted on 22 August 2012.
Source: MicrosoftAliases :
Backdoor:Win32/Moudoor is also known as TROJ_SCAR.ADS (Trend Micro), Trojan.KillProc.14145 (Dr.Web), Trojan/Win32.Scar (AhnLab).
Explanation :
Backdoor:Win32/Moudoor is a family of backdoor trojans that steal sensitive data, allow unauthorized access and control of your computer, and download and execute arbitrary files.
Installation
Backdoor:Win32/Moudoor may arrive on your computer bundled with a legitimate program.
The trojan modifies the following registry entry to ensure that it runs at each Windows start:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "%TEMP%\<malware file>", for example, "C:\Users\<user name>\AppData\Local\Temp\antivir.exe"
Note: <malware value> can be any of the following:
- Microsoft Update
- SymantecLiveUpdate
- SymantecUpdate
It uses a mutex to ensure that only instance of the trojan is running at a time. Variants of Backdoor:Win32/Moudoor have been known to use the following names when creating the mutex:
- IEPASS
- UpdateWindow
- Update-Window
In the wild, we have observed variants of Backdoor:Win32/Moudoor dropping a program file (EXE) into the %TEMP% folder with any of the following file names:
- antivir.exe
- start.exe
- svohost.exe
- vptray.exe
Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Temporary Files folder for Windows 2000 and NT is "C:\DOCUME~1\<user>\LOCALS~1\Temp"; and for XP, Vista, and 7 it is "C:\Users\<user name>\AppData\Local\Temp".
Depending on the variant of Backdoor:Win32/Moudoor this file may be either a copy of itself or another variant of the Backdoor:Win32/Moudoor family.
The program file then drops and loads a DLL file, which performs Backdoor:Win32/Moudoor's payload. We have observed the dropped file with the following file names:
- %TEMP%\auto.dat
- %TEMP%\up.bak
- %WINDIR%\up.bak
Note: %WINDIR% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows directory for Windows 2000, XP, and 2003 is "C:\Windows" or "C:\WinNT". For Windows Vista and 7, the default location is "C:\Windows".
Payload
Steals sensitive data
Backdoor:Win32/Moudoor attempts to gather the following data from your computer:
- RAS (remote access service) credentials
- System version information, for example, the version of your operating system
Backdoor:Win32/Moudoor logs keystrokes and obtains screenshots of your computer.
Gathered credentials are saved as an encoded file in the System folder with a file name in the format of "KB<number>.dat", for example "<system folder>\KB1035627.dat".
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\Winnt\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".
Allows backdoor access and control
Backdoor:Win32/Moudoor attempts to connect to the attacker's server via port 80, 443, and 53 to report the infection and receive further instructions.
Once connected, the remote attacker may perform the following actions on your computer:
- Download and run updates, or other arbitrary files, for example, "%windir%\httpd.exe"
- Shutdown or reboot your computer
- List all services, processes, and drives - this list is saved to a file and then sent to the attacker
- Terminate processes and services that may be related to antivirus and antimalware software, such as the following as observed from our samples:
- 360sd.exe
- 360tray.exe
- ashdisli.exe
- avcenter.exe
- avli.exe
- egui.exe
- knsdtray.exe
- kvmonxli.exe
- kxetray.exe
- mcshield.exe
- ravmond.exe
- tmbmsrv.exe
- Open/close CD drives
Note: At the time of analysis, the remote server was inaccessible and we are unable to confirm the malware file that Backdoor:Win32/Moudoor downloads.
In the wild, we have observed variants of Backdoor:Win32/Moudoor connect to the following addresses:
- 58.64.155.59
- hahadoctor.chickenkiller.com
- justagoodmove.jumpingcrab.com
- melodymonthly.ignorelist.com
- naverdorm.strangled.net
- safebrow.flnet.org
- usa-mail.scieron.com
- usc-data.suroot.com
- webxxx.suroot.com
In order to more easily connect to these addresses, Backdoor:Win32/Moudoor bypasses your computer's proxy, if enabled, by modifying the following registry entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Sets value: "ProxyBypass"
With data: "1"
Analysis by Rodel Finones
Last update 22 August 2012