Home / malwarePDF  

Backdoor:Java/Frurat.A


First posted on 19 April 2013.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Java/Frurat.A.

Explanation :



Installation

Backdoor:Java/Frurat.A is a Java applet that is run when you download a file containing the malicious code. You must have Java installed on your computer for this threat to run.

It uses a configuration file that we detect as Backdoor:Java/Frurat.A!conf.

In the wild, we have seen this threat copy itself to the folder "%APPDATA%\Frutas" with one of the following file names:

  • javawi.jar
  • javaw.jar
  • rata.jar
  • servidorcito.jar


Backdoor:Java/Frurat.A modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Firewall" or "Javax"
With data: ""<Java folder>\bin\javaw.exe" -jar "<backdoor path and filename>""

Notes:

  • <Java folder> is a path where Java is installed, for example: "C:\Program Files\Java\jre6\"
  • <Backdoor path and filename> is the path and filename of the Java applet


We have observed it attempting to prevent the following security-related tools and programs from running:

  • Programs that may be security-related and from the following companies:
    • AVG
    • Avast
    • Microsoft
    • Symantec
    • Mcafee
    • Eset
    • Kaspersky
    • Avira
    • Malwarebytes
  • Windows security tools, including:
    • Windows User Account Control
    • Windows configuration tools
    • Windows task manager


It does this by modifying the following registry entry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<legitimate program file name>
Sets value: "Debugger"
With data: "alg.exe"

The value of <legitimate program file name> can be any of the following:

  • avcenter.exe
  • avconfig.exe
  • avfwsvc.exe
  • avgamsvr.exe
  • avgcc.exe
  • avgemc.exe
  • avgnt.exe
  • avguard.exe
  • avgupsvc.exe
  • avmailc.exe
  • avnotify.exe
  • avp.exe
  • avscan.exe
  • avshadow.exe
  • avwebgrd.exe
  • avwsc.exe
  • ccproxy.exe
  • ccsetmgr.exe
  • egui.exe
  • ekrn.exe
  • kav.exe
  • kldw.exe
  • klwtblfs.exe
  • klwtbws.exe
  • mbam.exe
  • mbamgui.exe
  • mbamservice.exe
  • mcshield.exe
  • MpCmdRun.exe
  • MpfService.exe
  • mpfsrv.exe
  • MSASCui.exe
  • msconfig.exe
  • msscli.exe
  • navapsvc.exe
  • nisum.exe
  • nod32km.exe
  • nod32krn.exe
  • nod32kui.exe
  • taskmgr.exe
  • UserAccountControlSettings.exe


The trojan also creates the file "frautas.lock" in the %TEMP% folder as a marker of infection.



Payload

Allows backdoor access and control

Backdoor:Java/Frurat.A tries to connect to a remote server to receive commands from a remote attacker. We have seen it try to connect to the following servers:

  • 217.66.227.219
  • balto.no-ip.org
  • gebbix.zapto.org
  • iceop.no-ip.biz
  • sarahps.no-ip.biz
  • spy2014.no-ip.biz
  • trinks.no-ip.org


These commands can include, but are not limited to, the following:

  • Downloading and uploading files to and from a remote server
  • Conducting denial of service (DoS) attacks
  • Uninstalling the trojan from your computer
  • Ending computer processes




Analysis by Jonathan San Jose

Last update 19 April 2013

 

TOP

Malware :

Family: