Home / malware Backdoor:Win32/Losfondup.B
First posted on 05 February 2013.
Source: MicrosoftAliases :
Backdoor:Win32/Losfondup.B is also known as TROJ_EYDIEN.PB (Trend Micro).
Explanation :
Backdoor:Win32/Losfondup.B may be installed and run by other malware. In the wild, we have seen it originally use the file name "ylccvty.dll".
Installation
When run, Backdoor:Win32/Losfondup.B checks if its parent process is one of the following:
- LOGONUI.EXE
- LSASS.EXE
- SEARCHPROTOCOLHOST.EXE
- SERVICES.EXE
- WININIT.EXE
If yes, the trojan will not run. If the parent process is not one of those listed above, then it will continue to install itself on your computer and deliver its payload.
The trojan checks if the following file exists (possibly to determine if a previous version of the trojan has been installed on your computer):
%ALLUSERSPROFILE%\Documents\<reverse malware file name>.dat
Note: %ALLUSERSPROFILE% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\All Users". For Windows Vista, 7, and 8, the default location is "C:\ProgramData".
If the file exists, the trojan will deliver its payloads.
If the file does not exist, the trojan copies itself to the folder "%ALLUSERSPROFILE%\Application Data" with a randomly generated name, for example "mnjetuwilon.dat."
The trojan generates the file name from the following strings:
- 32
- 64
- aim
- ali
- and
- arj
- as
- aso
- co
- com
- cra
- dim
- dll
- do
- ebx
- eso
- etu
- exe
- fil
- fo
- hum
- je
- jm
- lo
- lon
- lop
- mnj
- ni
- or
- qui
- qwe
- rim
- sim
- sub
- tem
- to
- vir
- wh
- wi
- win
If the trojan cannot copy itself, it creates and uses a batch script file to delete itself from your computer.
The trojan places a configuration file into the folder "%ALLUSERSPROFILE%\Documents". It uses the reverse of the generated name for the file name, for example "noliwutejnm.dat."
The file contains information about the trojan and your computer, such as the folders it is installed to, the name and version of the trojan, the files it uploads, the sizes of its files and the server it will attempt to connect to.
The trojan registers itself as a legitimate component of the Windows system service "SENS" (system even notification service) by modifying the following registry entry:
In subkey: HKLM\SYSTEM\CurrentControlSet\services\SENS\Parameters
Sets value: "ServiceDll"
With data: "%AllUserProfile%\Application Data\<random name>.dat", for example "mnjetuwilon.dat"
Backdoor:Win32/Losfondup.B also modifies the following registry entries to ensure that its modified version of the "SENS" service is loaded at each Windows start:
In subkey: HKLM\SYSTEM\CurrentControlSet\services\COMSysApp
Sets value: "Start"
With data: "0x02"
In subkey: HKLM\SYSTEM\CurrentControlSet\services\SENS
Sets value: "Start"
With data: "0x02"
When the Windows system service SENS is started, the trojan is loaded instead of the original, legitimate one. To hide its presence, the trojan also performs the normal functions of the legitimate SENS service.
To ensure that the modified version of the "SENS" service (and, therefore, the trojan itself) is running instead of the legitimate one, the trojan terminates "svchost.exe" and runs the following commands, which load the modified "SENS" service:
- cmd.exe /c net start COMSysApp
- cmd.exe /c net start SENS
The trojan creates the file "12321312020.tmp" in the %TEMP% folder to store information about the status of the above commands, such as if the service started successfully.
Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Local Settings\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".
The trojan creates a JavaScript file to ensure its copy is run in the event that the commands do not work. It generates the file name from the list of strings listed above.
It places the JavaScript file in the <startup folder>, for example:
<startup folder>\widoexe.js
Note: <startup folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Startup folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Start Menu\Programs\Startup". For Windows Vista, 7, and 8, the default location is "C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup."
Backdoor:Win32/Losfondup.B monitors and injects itself into the following running processes to enable the network functionality of its payloads:
- chrome.exe
- firefox.exe
- iexplore.exe
- opera.exe
- safari.exe
Payload
Allows backdoor access and control
Backdoor:Win32/Losfondup.B allows unauthorized access and control of your computer by connecting to a server that is provided in the trojan's configuration file.
An attacker can perform any number of different actions on your computer using the trojan. This could include, but is not limited to, the following actions:
- Update the configuration file and the trojan itself
- Download and run arbitrary files, including component files and other malware
- Upload files
- Run commands
- Upload information, such as a log of the trojan's activities on your computer
Injects code
Backdoor:Win32/Losfondup.B injects itself into any running process, except for the following:
Modifies user accounts and system settings
- System Process
- CSRSS.EXE
- DLLHOST.EXE
- SERVICES.EXE
- SMSS.EXE
- SVCHOST.EXE
- SYSTEM
- USERINIT.EXE
- VMACTHLP.EXE
- WINLOGON.EXE
- Any running process that belongs to "SYSTEM/LOCAL SERVICE/NETWORK SERVICE"
Backdoor:Win32/Losfondup.B adds a user account named "Local Servlce" to a number of administration and user account groups. It may do this to gain a greater level of access to Windows system settings than a normal user account would allow.
It purposefully misspells "Local Servlce" (instead of "Service"), possibly to trick you into believing it is a legitimate Windows user account.
Additional information
Backdoor:Win32/Losfondup.B appends random "garbage" data at the end of the copy of its original file and the configuration file, this may increase the size of the files to over 70 megabytes.
The trojan also hooks the following three API functions to hinder detection and removal:
- If the running process is "explorer.exe": FindNextFileW
- If the running process is "regedit.exe": RegQueryValueExW
- If the running process is "taskmgr.exe": ZwQuerySystemInformation
Backdoor:Win32/Losfondup.B attempts to open a socket on TCP local port 46365 listen for a remote connection. The purpose for this behavior is unclear.
The trojan uses the following commands to add the user "Local Servlce" to various computer groups:
- net localgroup <unknown characters> \"LOCAL SERVlCE\" /add "The <unknown characters> : |C0 E4 EC B3 ED B3 F1 F2 F0 E0 F2 E0 F0 FB|"
- net localgroup <unknown characters> \"LOCAL SERVlCE\" /add "|C0 E4 EC E8 ED E8 F1 F2 F0 E0 F2 EE F0 E8|"
- net localgroup <unknown characters> \"LOCAL SERVlCE\" /add "|C0 E4 EC E8 ED E8 F1 F2 F0 E0 F2 EE F0 FB|"
- net localgroup \"Gli amministratori\" \"LOCAL SERVlCE\" /add
- net localgroup Administradores \"LOCAL SERVlCE\" /add
- net localgroup Administrateurs \"LOCAL SERVlCE\" /add
- net localgroup Administratoriai \"LOCAL SERVlCE\" /add
- net localgroup Administrators \"LOCAL SERVlCE\" /add
- net localgroup Administratorzy \"LOCAL SERVlCE\" /add
- net localgroup Amministratori \"LOCAL SERVlCE\" /add
- net localgroup Beheerders \"LOCAL SERVlCE\" /add
- net localgroup Rendszergazdak \"LOCAL SERVlCE\" /add
- net localgroup Riarthoiri \"LOCAL SERVlCE\" /add
Analysis by Steven Zhou
Last update 05 February 2013
