Home / malware Backdoor:Win32/Wkysol.E
First posted on 20 January 2012.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Wkysol.E.
Explanation :
Backdoor:Win32/Wkysol.E is a trojan that allows unauthorized remote access and control of an affected computer. This trojan has been observed being installed when opening certain malicious PDF files that exploit a vulnerability affecting Adobe Reader and Acrobat. This malicious exploit in PDF files is detailed as an unspecified vulnerability in the U3D component in Adobe Reader and Acrobat and is further discussed in CVE-2011-2462.
Top
Backdoor:Win32/Wkysol.E is a trojan that allows unauthorized remote access and control of an affected computer. This trojan has been observed being installed when opening certain malicious PDF files that exploit a vulnerability affecting Adobe Reader and Acrobat. This malicious exploit in PDF files is detailed as an unspecified vulnerability in the U3D component in Adobe Reader and Acrobat and is further discussed in CVE-2011-2462.
For more information about these related threats, please see the descriptions for Exploit:JS/Pdfjsc and Exploit:Win32/CVE-2011-2462 elsewhere in the encyclopedia.
Installation
Backdoor:Win32/Wkysol.E may install itself in the <backdoor path> location as any of the following:
- aa.scr
- algsvc.exe
- info.exe
- insight.exe
- mshelp.exe
- pretty.exe
- server.exe
where <backdoor path> is one folder up from the %Temp% folder.
The time-stamp is taken from the clean windows system file <system folder>\svchost.exe with the intent to hide the malware's presence.
Backdoor:Win32/Wkysol.E modifies the following registry entry to ensure that its copy executes at each Windows start:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Office"
With data: "<backdoor path>\<malware name>"
The backdoor drops an embedded component DLL as "<random>.tmp" (for example, wse4ef1.tmp) under the <backdoor path> directory; this file is also detected as Backdoor:Win32/Wkysol.E. The DLL is injected into processes that contain any of the following strings:
- outlook
- iexplore
- firefox
Backdoor:Win32/Wkysol.E executes its dropped copy, then terminates and deletes the original trojan.
Payload
Allows backdoor access and control
Backdoor:Win32/Wkysol.E allows unauthorized backdoor access and control of an affected computer. In the wild, we have observed the backdoor connecting to a remote attacker using the following URLs via HTTP protocol:
- info.easyfindjoy<removed>/asp/kys_allow_get.asp?name=getkys.kys
- webmail.easyfindjoy<removed>/asp/kys_allow_get.asp?name=getkys.kys
- <removed>insightpublicaffairs.org/asp/kys_allow_get.asp?name= getkys.kys
- <removed>bodyshowworld.com/asp/kys_allow_get.asp?name=getkys.kys
The backdoor sends information back to the remote host, such as the infected computer's name, IP address and the bot identifier.
Using this backdoor, an attacker can perform a number of actions on an affected computer. This could include, but is not limited to, the following actions:
- Download and execute arbitrary files
- Upload files
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications or processes
- Reboot the computer
- Delete files
Uninstalls itself
Backdoor:Win32/Wkysol.E can remove its own malicious components from the infected computer by executing a "-remove" parameter. By executing this parameter, it:
- Terminates its own running process
- Deletes its 'auto start' entry
Analysis by Rodel Finones
Last update 20 January 2012