Pages

27 September 2011

Backdoor:Win32/Darkshell.B

Aliases :

There are no other names known for Backdoor : Win32/Darkshell.B.

Explanation :

Backdoor:Win32/Darkshell.B is a backdoor trojan that infects executable files and spreads through removable drives, as well as contacting a remote host in order to perform further malicious actions on the compromised computer.

Top

Backdoor:Win32/Darkshell.B is a backdoor trojan that infects executable files and spreads through removable drives, as well as contacting a remote host in order to perform further malicious actions on the compromised computer.

Installation
Upon execution, Backdoor:Win32/Darkshell.B creates a copy of itself in the following file location and registers this copy as a service so it runs at each Windows start:

    \drivers\svchost.exe

Win32/Darkshell.B then launches this copy and deletes its original executable from the computer.

The backdoor also creates copies of itself in the following file locations using randomly generated file names:

    \.exe
    \drivers\.exe
    \dllcache\.exe
    \ime\.exe
    %ProgramFiles%\common files\microsoft shared\.exe
    %ProgramFiles%\internet explorer\connection wizard\.exe
    %ProgramFiles%\windows media player\.exe
    %windir%\addins\.exe
    %windir%\system\.exe


Note: refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Spreads via...

Removable drives

Backdoor:Win32/Darkshell.B may receive instructions from a remote host to spread via removable drives. Darkshell.B may copy itself to any removable drives on the system using the file name "setup.exe", as well as creating an "autorun.inf" file in the drive that launches "setup.exe", if the Autorun feature is enabled on the compromised computer.

It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.


Payload

Modifies executable files

Backdoor:Win32/Darkshell.B modifies files with ".exe" file extensions in all fixed drives so that when these files are launched, a copy of the malware is also executed. The modified files are detected as Virus:Win32/Luder.B. Backdoor:Win32/Darkshell.B avoids infecting files that are in the following directories:

    \Windows
    \WinNT
    \Windows NT
    \Documents and Settings
    \System Volume Information
    \Recycled
    \WindowsUpdate
    \Windows Media Player
    \Outlook Express
    \Internet Explorer
    \NetMeeting
    \ComPlus Applications
    \Messenger
    \Microsoft Frontpage
    \Movie Maker
    \NetMeeting



Contacts remote hosts

In the wild, we have observed Backdoor:Win32/Darkshell.B attempting to contact the following remote host through port 1981:

    hackpigpig.3322.org


The malware parses information received from the host to interpret other host servers with which to connect. Darkshell also sends system information to the host such as the system's computer name, Windows version, and amount of RAM.

Darkshell may also receive commands from the host that allow it to perform a number of actions on the infected computer, such as:

    Remove itself from the system
    Download and execute files
    Execute files
    Spread through removable drives



Downloads and executes arbitrary files

Through its backdoor component, Win32/Darkshell.B may receive instructions to download and execute an arbitrary file from a specific URL. If ordered to do so, the backdoor saves the file to the file location "C:\pagefile.pif" and executes it.



Analysis by Amir Fouda

0 comments: