Threat behavior
Backdoor:Win32/Nuwar.C is a backdoor Trojan that allows unauthorized access to an infected computer. The Trojan receives commands indirectly from a remote attacker via its connection to a malicious peer-to-peer network. This Trojan also contains advanced stealth functionality that allows it to hide particular files, folders and processes.
When executed, Backdoor:Win32/Nuwar.C peforms the following actions.
-
Copies itself to %windir%\spooldr.exe
-
Creates a configuration file %windir%\spooldr.ini which contains a list of peers to connect to initially (see "Backdoor Functionality" section below for further detail).
-
Drops a kernel driver <system folder>\spooldr.sys. The driver is then installed, using the file name, minus the extension, as the display name.
- Creates an event, "K8JT6Hnjm$#jui#WWhHHgG", which it uses as a marker to prevent re-installation attempts if the driver is already running.
- Attempts to modify tcpip.sys. This modification will load the driver <system folder>\spooldr.sys. The two targeted files are <system folder>\dllcache\tcpip.sys and <system folder>\drivers\tcpip.sys.
- Attempts to modify Windows Time configuration settings.
Note: <system folder> refers to the Windows system folder. The default location of the Windows system folder is C:\Windows\System32 (Windows XP, Vista); C:\Winnt\System32 (Windows NT/2000), C:\Windows\System (Windows 95/98/ME).
Backdoor:Win32/Nuwar.C takes several measures in order to lower security settings and evade detection on the infected computer, including the following:
-
Registers itself as an exception to the Windows Internet Connection Firewall (ICF)
-
Attempts to terminate the following security related processes:
zlclient.exe
outpost.exe
fsbl.exe
-
Attempts to prevent any executable image with the following substrings from executing. (Note that many of these files are related to antivirus applications, and conversely, presumably as an anti-competitive measure, known spyware, adware and rogue security applications):
avp.exe avpm.exe avz.exe bc_hassh_f.sys bc_ip_f.sys bc_ngn.sys bc_pat_f.sys bc_prt_f.sys bc_tdi_f.sys bcfilter.sys bcftdi.sys bdmcon.exe bdss.exe ccapp.exe ccevtmgr.exe cclaw.exe ccpxysvc.exe f-sched.exe f-stopw.exe filtnt.sys FireWalker.exe FloboSpywareClean.exe ForbesAlerts.exe fpavupdm.exe freedom.exe freeprodtb.exe FroggieScanDemo.exe fs30.exe fsav32.exe fsbl.exe fsdfwd.exe fservice.exe fsm32.exe ftviewer.exe fvprotect.exe fwnet64.exe gcasdtserv.exe gcasserv.exe GeoWhere.2.61.lite.exe gestionnaire antidote.exe GetByMail.exe GiveMeToo.exe Gnucleus.exe GoodbyeSpy.exe GrabBurn.exe guard.exe gv.exe hackmon.exe HbtOEAddOn.exe hidownload.exe HitVirus.exe hwpe2.exe iao.exe icmon.exe iesplugin.dll IEWatch20.exe IncrediMail inetupd.exe install.exe InternetSpy.exe IntraKey.exe irsetup.exe isaddon.dll isafe.exe isamini.exe isamonitor.exe isass.exe isclean.exe ishost.exe ismini.exe isnotify.exe issearch.exe issvc.exe itbill.exe itunesmusic.exe iwnvod.exe ixt0.dll Jimmy Surf.exe JustRemoteITServer.exe kav.exe kavss.exe kavsvc.exe KeyLogger.exe KeyLover21.exe KillAndClean.exe klpf.exe klswd.exe kpf4ss.exe little_helper2.exe livesrv.exe LoggerConfigurator.exe lsasrv.exe lsass32.exe magiclink.exe MagPlayer.exe MailSkinner.exe Main.exe MainWnd.exe MalScr.exe MalSwep.exe MalwareDestroyer.exe MalWhere.exe mathchk.exe mcagent.exe mcshield.exe mctskshd.exe MemoryWatcher.exe MNS.exe Mob Masher.exe moni.exe monifree.exe MP3Galaxy.exe mpfirewall.sys MPPoker.exe mscornet.exe msecag.exe msgsys.exe MSHUTDOWN.exe msls32.exe MsnSniffer.exe mssearchnet.exe msssrv.exe multipl.exe mupd32.dll mwsoemon.exe mytoolbar.dll MyVideoDaily2.exe navapp.exe navstub.exe navw32.exe NetCtl.exe NetPumperIEProxy.exe Netzip.exe nisum.exe Njexplor.exe NLSupervisorPro.exe no32mon.exe nod32krn.exe nod32ra.exe norton update.exe nsmdtr.exe nstask32.exe nvctrl.exe OemjiShare.exe ofcdog.exe optimize.exe outpost.exe Overseer.exe OverSpy.exe P2P Networking.exe pavfnsvr.exe pbcpl.exe PBOptions.exe PC Scanner.exe pcacmes.exe PCagent.exe PCBusted.exe pcOrion.exe pcps.exe PCSmokingGun2.exe pctptt.exe pcwatch.exe Penguin Panic.exe personalmoneytree.exe PestTrap.exe PestWiper.exe picx.exe PKViewer.exe plook.exe pmmon.exe pmsngr.exe pmuninst.exe POPUPS~1.EXE powerscan.exe ppmemcheck.exe ppsys.exe ppv5.exe PrecisionTime.exe PrivacyCrusaderDemo.exe PrivateMailReader.exe ProcAlert.exe Pronto.exe prt.exe PSFree.exe pxckdla.exe qconsole.exe qpanel.exe rasautou.exe RazeSpyware.exe RCPAdmin.exe rdriv.sys Recorder.exe regbar.exe RegClean32.exe Registry Fix.exe RegistryCare.exe RegistrySweeper.exe |
regresc.exe RemedyAntispy.exe removeit.exe RepSvc.exe RFManager.exe rpcsetup.exe rrtcany.dll rtvscan.exe RunBackGammon.exe RunBingo.exe Safewebsurfer.exe sandbox.sys sandboxieserver.exe SAR.exe SaveMyWork.exe savscan.exe sb32mon.exe sbserv.exe sbsse.exe Scan&Repair2006.exe Scanner.exe scanregw.exe Scrabble.exe Sd2006.exe SecCon.exe Secret Spy.exe Security iGuard.exe SeeStat.exe serv.exe service.exe service32.exe SGFwSvc.exe showbar.exe ShowBehind.exe sidefind.exe SK60.exe skin2000.exe sks32proc.exe SlimShield.exe slman.exe SmileySource.exe smoke.exe smpcpro.exe smss32bk.exe SnackMan.exe sndsrvc.exe Snoop.exe SnowballWars.exe Sp0.exe sp_rsser.exe spamihilator.exe spampal.exe spbbcsvc.exe Spedia.exe Spy Cleaner Gold.exe Spy Cleaner Platinum.exe SpyAOL.exe SpyBro.exe spycl4.exe SpyFighter.exe SpyGraphica.exe SpyHeal.exe SpyHunter.exe SpyiBlock.exe Spyinator.exe SpyKiller.exe SpyLax.exe SpyMon.exe SpyOnThis.exe SpyPry.exe SpyReaperProDemo.exe spyrem.exe spyshield.exe SpySniper.exe SpySpotter.exe SpySub.exe Spytector.exe SpyTrooper.exe SpyViperProDemo.exe Spyware_Annihilator.exe SpywareBot.exe SpywareDetector.exe SpywareDisinfector.exe SpywareQuake.exe spywareremovalwizard.exe SpywareRemover.exe SpywareSlayer.exe SpywareStormer.exe SSDemo.exe sservice.exe Ssk.exe ssp.exe sss.exe StaffCop.exe stardialer.exe StartPoker.exe stinger.exe STMonitor.exe story.exe sunshinebingo.exe Surfkeeper.exe sv.exe svcmon.exe swatcher.exe swdoctor.exe swnxt.exe symwsc.exe syscfg32.exe sysd.exe sysformat.exe syslog.exe Syslogin.exe sysmgr32.exe sysmgr64.exe system.exe taskdir.exe tasker.exe titanshield.exe tmoagent.exe Toolbar_cobrand.EXE ToolKeylogger.exe TopSearch.exe tpcl.exe truedownloader.exe TrustCleaner.exe TTBSETUP.exe TVS_B.exe TWAB5.exe u88.exe UDC2006.exe uert.exe UltraKeyboard.exe UnSpyPC.exe update.bat updsvc.exe userinit32.exe usrprmpt.exe USYP.exe UTviewer.exe VCatch.exe vcehaeb.dll vetmsg.exe vetmsg9x.exe vettray.exe view.exe viewer.exe VIRTUESCOPE.exe VirusRescue.exe vptray.exe vsdatant.sys was6.exe watchdog.sys wcantispy.exe Weather.exe webrebates.exe websnitch.exe wfdmgr.exe whspeedrank.exe WICleaner.exe win16dll.exe WinAV.exe wincom32.sys wincp.exe windll.exe winlogin.exe winlogons.exe winlogonsys.exe WinPass.exe WinSL.exe winsrv32.exe wmsmod32.exe wnames.exe wnetmgr.exe words.exe WorldAntiSpy.exe wrclock.exe ws.exe wslogger.exe WSMDI.exe WTRTrial.exe wupdt.exe X-Con Spyware Destroyer.exe xcommsvr.exe xfr.exe Xolox.exe xp-antispy.exe xSpyware.exe zango.exe ZangoAstrology.exe ZangoTVTimes.exe zapspot.exe zclient.exe zcodec.exe ZComService.exe zilla.exe ZipItFast.exe zlara.dll |
Advanced Stealth Features
The driver, "spooldr.sys", hides files, folders and processes beginning with the string "spooldr" by hooking the following function:
Backdoor Functionality
The Trojan attempts to join a malicious peer-to-peer network, where directives can be exchanged between like peers. Once connected to the network, active peers can be instructed to perform several actions including:
-
gathering e-mail addresses from files with the following extensions on all fixed drives on the affected machine:
.adb
.asp
.cfg
.cgi
.dat
.dbx
.dhtm
.eml
.htm
.jsp
.lst
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml
However, the Trojan avoids addresses that contain the following substrings:
@avp.
@foo
@iana
@messagelab
@microsoft
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip
-
Perform Denial of Service (DoS) attacks.
-
Compose and send e-mail to addresses that may be supplied via the peer-to-peer network. This function can be used to send spam or to distribute additional malicious threats.
-
Downloading and executing arbitrary files, including files with which to update itself.
Prevention