Home / malware Backdoor:MSIL/Pontoeb.J
First posted on 26 December 2011.
Source: MicrosoftAliases :
Backdoor:MSIL/Pontoeb.J is also known as Trojan.MulDrop3.21941 (Dr.Web), Backdoor.MSIL.Agent.fyc (Kaspersky), Backdoor:MSIL/Bafrus.J (other).
Explanation :
Backdoor:MSIL/Pontoeb.J is a trojan that may allow backdoor access and control of an affected computer.
Top
Backdoor:MSIL/Pontoeb.J is a trojan that may allow backdoor access and control of an affected computer.
Installation
Backdoor:MSIL/Pontoeb.J may be distributed as a file with an enticing name such as "Need.For.Speed.The.Run.Unlocked-TF.exe" or "Dota 2 Betakeys.txt.exe". Once run, it drops copies if itself as the following:
- %AppData%\wscntfy.exe
- %CommonProgramFiles%\lsmass.exe
The registry is modified to run the trojan files at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows-Audio Driver"
With data: "%AppData%\wscntfy.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Windows-Network Component"
With data: "%CommonProgramFiles%\lsmass.exe"
Payload
Bypasses Windows firewall
This trojan modifies the Windows firewall policy by changing registry data to allow the trojan to bypass Windows firewall.
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Sets value: "%AppData%\wscntfy.exe"
With data: "%AppData%\wscntfy.exe:*:enabled:windows-audio driver"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%AppData%\wscntfy.exe"
With data: "%AppData%\wscntfy.exe:*:enabled:windows-audio driver"
Redirects log session tracing
Backdoor:MSIL/Pontoeb.J hinders network traffic debugging of an affected computer by modifying registry data to redirect event tracing.
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg
Sets value: "LogSessionName"
With data: "stdout"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier
Sets value: "Guid"
With data: "5f31090b-d990-4e91-b16d-46121d0255aa"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy
Sets value: "LogSessionName"
With data: "stdout"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier
Sets value: "Guid"
With data: "5f31090b-d990-4e91-b16d-46121d0255aa"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil
Sets value: "LogSessionName"
With data: "stdout"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier
Sets value: "Guid"
With data: "8aefce96-4618-42ff-a057-3536aa78233e"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
Sets value: "LogSessionName"
With data: "stdout"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
Sets value: "Guid"
With data: "710adbf0-ce88-40b4-a50d-231ada6593f0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
Sets value: "LogSessionName"
With data: "stdout"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
Sets value: "Guid"
With data: "b0278a28-76f1-4e15-b1df-14b209a12613"
Allows backdoor access and control
Backdoor:MSIL/Pontoeb.J may connect to the IP address "77.<removed>.4.101" to allow a remote attacker to access and control the affected computer. These commands may include, but are not limited to, the following:
- Connect to a specified website
- Download files
- Gather the following information about the affected computer:
- Disk drive serial number
- System drive details
- Operating system
- Processor architecture
- Perform HTTP, SYN, and UDP flooding
- Update itself
Analysis by Francis Allan Tan Seng
Last update 26 December 2011
