|
|
Backdoor.Padodor. Viruses Information
| Name: |
Backdoor.Padodor. |
| Category: |
Viruses |
| Description:
|
Details
Backdoor.Padodor.w
also known as TrojanSpy.Win32.Qukart
Padodor/Qukart was created by a Russian hacker group called HangUp Team. The original Padodor backdoor source code was used to create this variant, but the backdoor functionality was removed. Padodor/Qukart steals personal information including credit card numbers, logins and passwords that a user types and other sensitive data. The Padodor.W variant was found early on June 25th, 2004 as a result of the Scob incident investigation.
http://www.f-secure.com/v-descs/scob.shtml
Detailed Description
The trojan's file is a PE executable 51712 bytes long. The trojan's file is encrypted and the decryption routine is polymorphic. Every time the trojan installs itself, it changes its decryptor, so its file will look different after every installation. The trojan was created using Padodor backdoor code. There's some discussion now as to whether HangUp Team was involved. Unless they provided their Padodor source code to someone else (which is doubtful), they are responsible for the latest Padodor/Qukart incidents. Up to .G variant of Padodor their copyright was in the backdoor files
In the later variants of the backdoor the copyright string was removed, but the project name "padonok" (an incorrectly spelled Russian word "podonok" that means "scum") remained.
Installation to System
When the trojan's file is run, it installs itself to the system. It copies its file to Windows System directory with a random name that can contain '32' in the end. The name can be for example 'amackg32.exe'. Also the trojan extracts and writes a small DLL file to Windows System folder. That file also has a randomly generated name that can contain '32' in the end, for example 'bnldnl32.dll'. That DLL file is a starter for the dropped trojan's executable file. It already contains the name of the dropped trojan file - it is inserted there before extraction.
Then the trojan creates a few Registry keys:
[HKCRCLSID{79FEACFF-FFCE-815E-A900-316290B5B738}InProcServer32]
@ = "%WinSysDir%.dll"
"ThreadingModel" = "Apartment"
where %WinSysDir% represents the name of Windows System folder and represents a randomly generated file name. As a result, the DLL gets loaded every time Windows starts and it activates the trojan's file.
Also the trojan creates the following Registry key value:
[HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
"Web Event Logger" = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
The trojan creates a mutex named 'KingKarton_10' and checks it at startup to avoid loading several copies of itself to memory.
The trojan creates the 'surf.dat' file in Windows System folder and writes the computer name and user name there every time it activates.
Theft of passwords and credit card numbers
When the trojan is active, one of its threads is constantly looking for the following text strings in Microsoft Internet Explorer windows:
.paypal.com
signin.ebay.
.earthlink.
.juno.com
my.juno.com/s/
webmail.juno.com
.yahoo.com
and
Sign In
Log In
If such text strings are found, the trojan tracks the user's login and password and saves it to a file called DNKK.DLL located in Windows System folder. Then the trojan can show a fake webform and ask a user to select his/her credit card type, input his/her full name, credit card number, expiration date, CVV2 code and ATM PIN. The collected data is stored in a file called KK32.DLL file located in Windows System folder.
The trojan creates a thread that periodically creates or changes the following Registry keys:
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones]
"1601" =
[HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"GlobalUserOffline" =
[HKU.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowseNewProcess]
"BrowseNewProcess" = "yes"
Then this thread creates an HTML file where it copies stolen data, opens it with Internet Explorer and the data gets submitted to one of the following websites (selected randomly) using a small script:
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
After submitting the information, the trojan checks for feedback from the site and if it is a string equal to 'X-okRecv11', the trojan deletes the HTML file and terminates Internet Explorer.
The trojan creates another thread that periodically accesses the following webpages:
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://ldark.nm.ru/index.htm
http://fethard.biz/index.htm
Before accessing the above mentioned websites the trojan creates an HTML file with a special script. If the index.htm page on these sites contain 'X-okRecv11' string the trojan terminates Internet Explorer and deletes the created HTML file. Otherwise the trojan browses Internet cache files and appends the last used HTML file to the KK32.VXD file located in Windows System folder.
It should be noted that during the operation described above the trojan creates a new desktop called 'blind_user' on an infected computer that a user can not see and then opens Internet Explorer there.
© F-Secure Corporation |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Konkoor.174
Win32.Magi
Shoe.190
I-Worm.Funn
Macro.Word.Fuzz
Video.10
Antiscan.50
Sentinel Famil
Ocean.257
June8.191
|
|
