Threat behavior
Backdoor:Win32/Nuwar.B is a backdoor Trojan that allows unauthorized access to an infected computer. The Trojan receives commands indirectly from a remote attacker via its connection to a malicious peer-to-peer network. This Trojan also contains advanced stealth functionality that allows it to hide particular files, registry entries and registry values.
Please note that there may be several minor variants of this Trojan circulating in the wild, and that while functionally identical, they may contain small differences with regards to file names used, events created, etc. As such we have listed two such variations for each behavior listed below.
When executed, Backdoor:Win32/Nuwar.B peforms the following actions.
- Creates configuration file <system folder>\windev-peers.ini or <system folder>\vdo_g.ini which contains a list of peers to connect to initially (see Backdoor Functionality section below for further detail).
- Drops a kernel driver <system folder>\windev-xxxx-xxxx.sys or <system>\vdo_xxxx-xxxx.sys (where xxxx describes a four character alphanumeric string of randomly generated content - for example "C:\WINDOWS\System32\windev-42a7-127d.sys"). The driver is then installed, using the file name, minus the extension, as the display name (for example - "windev-42a7-127d").
- Enumerates kernel and file system drivers in the Service Control Manager database. Any previously installed drivers (with names beginning with 'windev-' or 'vdo_') are stopped and then deleted from the database. The corresponding ".sys" file is then deleted from disk.
- Creates a mutex named either "A8dK894Lm9#sF2i$sOBq2X" or "K8JT6Hnjm$#jui#WWhHHgG", which the Trojan uses as a marker to prevent re-installation attempts if the driver is already running.
- Injects a malicious payload into "services.exe". The consequence of this action will make any network activity appear to originate from services.exe.
- Attempts to modify "Windows Time" configuration settings.
Note: <system folder> refers to the Windows system folder. The default location of the Windows system folder is C:\Windows\System32 (Windows XP, Vista); C:\Winnt\System32 (Windows NT/2000), C:\Windows\System (Windows 95/98/ME).
Advanced Stealth Features
The driver, hides files, registry keys and registry values beginning with the strings "windev-" or "vdo_" by hooking the following functions:
- NtEnumerateKey
- NtEnumerateValueKey
- NtQueryDirectoryFile
Backdoor Functionality
The component that was injected into services.exe attempts to join a malicious peer-to-peer network, where directives can be exchanged between like peers. Once connected to the network, active peers can be instructed to perform several actions including:
- gathering e-mail addresses from files with the following file extensions on all fixed drives on the infected computer:
.adb
.asp
.cfg
.cgi
.dat
.dbx
.dhtm
.eml
.htm
.jsp
.lst
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml
The Trojan avoids addresses that contain the following substrings:
@avp.
@foo
@iana
@messagelab
@microsoft
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip
- Perform Denial of Service (DoS) attacks.
- Compose and send e-mail to addresses that may be supplied via the peer-to-peer network. This function can be used to send spam or to distribute additional malicious threats.
- Download and execute arbitrary files, including files that self-update.
Prevention