If the value is not equal to the magic number 0x29A (666 decimal), it skips this file. The module retrieves the name of the file, reads the whole file into memory and checks its last DWORD. The file handle may belong to any file that is currently open by the application, including any open documents (i.e. If call to GetFileSize succeeds, the module assumes that it found a valid file handle, and proceeds with this file. The module iterates through file handle values from 0 to 65534 with step 4, and tries to get file size for every handle. In the new thread, the module executes its main function in an infinite loop, with 1 second delay. When loaded, the module starts a new thread and returns. The plugin does not depend on the application so it could have been used with other applications, too.Īll the functionality is implemented in the DllMain function. The malware contains a universal plugin for Acrobat Reader and Microsoft Office application. The file is a PE DLL file with 1 exported function, compiled with Microsoft Visual Studio 2010. Known file locations: add-on directories of Acrobat Reader or Microsoft Office, depends on installation settings. DocBackdoor (Acrobat Reader and Microsoft Office plugin) module They all contained a task named “fileinfo”. Known variants of the “.bak” task files were created by the “fileputexec” module. trh‘ and deleted, the task’s contents are written instead. The original module is moved to a file with extension ‘. The task is a new version of the ‘scheduler’ module. Then, its export named ‘ START‘ is called. It is loaded in memory with a custom PE loader. The file is removed when the process terminates. It is written to a temporary file ‘ %TMP%%number%.exe‘ and executed with CreateProcess API. Depending on that field, the module treats the contents of the decrypted file differently: Task type If the file was decompressed without errors, it is expected to start with a header that describes an internal task.Įach task has a name and a “type” field. They are decrypted using a custom AMPRNG algorithm with a hardcoded key, then decompressed using LZMA. %ALLUSERSPROFILE%Application DataMicrosoftWindowsĪny found file with the extension “.trh” is deleted.įiles with the extension “.bak” are treated differently. %ALLUSERSPROFILE%Application DataMicrosoftOfficeData %ALLUSERSPROFILE%Application DataMicrosoftOffice %ALLUSERSPROFILE%Application DataMicrosoft %SystemDrive%Documents and SettingsLocalServiceLocal SettingsApplication DataMicrosoft %SystemDrive%Documents and SettingsLocalServiceApplication DataMicrosoft Then, it creates one of the following registry values to ensure its automatic start: When started, the module initializes its log object with a new filename. The file is a PE EXE file, compiled with Microsoft Visual Studio 2010.Ĭreates encrypted log files: “%TMP%smrdprevsmrdprev_%p_%p.tmp”, where “%p” parameters are formatted from the return values of subsequent GetTickCount API calls. The module is created and executed (for the first time) by the module “fileputexec”. Known locations: %APPDATA%MicrosoftRtkN32Gdi.exe
0 Comments
Leave a Reply. |