Home / malwarePDF  

Backdoor:Win32/Wkysol.G


First posted on 19 January 2012.
Source: Microsoft

Aliases :

Backdoor:Win32/Wkysol.G is also known as Trojan/Win32.Npkon (AhnLab), Trojan.Win32.Sasfis.crqp (Kaspersky), Backdoor.Sykipot!AWykAQlotQc (VirusBuster), Win32/Wisp.C trojan (ESET), Backdoor.Win32.Wkysol (Ikarus).

Explanation :

Backdoor:Win32/Wkysol.G is malware that allows backdoor access and control of the affected computer. In the wild, it has been observed to be bundled with Exploit:JS/Pdfjsc.Y and Exploit:Win32/CVE-2011-2462 variants.


Top

Backdoor:Win32/Wkysol.G is malware that allows backdoor access and control of the affected computer. In the wild, it has been observed to be bundled with Exploit:JS/Pdfjsc.Y and Exploit:Win32/CVE-2011-2462 variants.



Installation

Backdoor:Win32/Wkysol.G modifies the registry so that it automatically starts at every Windows start:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "start"
With data: "<malware path>\<malware file name> -install"

It then drops and installs its backdoor component using any of the following file names:

  • <backdoor path>\nwxl.dll
  • <backdoor path>\rsm.dll


where <backdoor path> is one folder up from the %Temp% folder.

Backdoor:Win32/Wkysol.G injects its DLL component into the "iexplorer.exe" process. It does this by spawning a new copy of "iexplorer.exe" located at registry entry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE.

It also drops the configuration file "<backdoor path>\setm.ini" containing the following:

  • sleep time
  • remote server to connect to
  • malware file name and DLL component file name
  • bot ID


Payload

Allows backdoor access and control

Backdoor:Win32/Wkysol.G has been observed to connect to the remote server stored in its configuration file. In the wild, one such server it is known to connect to is "one<removed>focus.com". If connected to the server, it sends the affected computer's name and IP address as well as the bot ID value in the configuration file.

Once connected, an attacker can perform a number of actions on an affected computer. This could be, but is not limited to, the following actions:

  • Download/upload arbitrary files
  • Open a remote command shell
  • Start/terminate processes
  • Restart the computer
  • Set new timeouts value (for pausing the malware from executing and random number seed)
Additional information

Backdoor:Win32/Wkysol.G has the ability to remove its components from the affected computer and delete its entry in the system registry. These can be done if the malware is run with the "-removekys" parameter.



Analysis by Rodel Finones

Last update 19 January 2012

 

TOP

Malware :

Family: