Trojan:Win32/Opachki.C is a backdoor that modifies a number of system settings, and periodically attempts to download and execute arbitrary files.
Installation
When run, Trojan:Win32/Opachki.C copies itself as a hidden system file to <system folder>\ntload.exe and %USERPROFILE%\rundll32.exe. Some variants may also drop a DLL to %USERPROFILE%\ntload.dll. It sets the creation time, last access time, and last modification time of these files to have the same values as those of the operating system file at <system folder>\kernel32.dll.
It then launches a copy of one of these copies.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It also creates the following registry entries to ensure the malware runs at each system start:
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "rundll32"
With data: "<system folder>\ntload.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "rundll32"
With data: "%USERPROFILE%\rundll32.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "shell"
With data: "explorer.exe <system folder>\ntload.exe"
Trojan:Win32/Opachki.C may periodically attempt to rewrite these copies and registry entries if one or more is deleted.
Payload
Modifies system settings
The trojan runs multiple instances of the reg.exe utility in an attempt to remove settings that are used when the computer is started in Safe Mode, by making the following registry changes:
Deletes key: HKLM\System\CurrentControlSet\Control\Safeboot
Deletes key: HKLM\System\ControlSet001\Control\Safeboot
Deletes key: HKLM\System\ControlSet002\Control\Safeboot
Trojan:Win32/Opachki.C disables the LUA (Least Privileged User Account), also known as the “administrator in Admin Approval Mode” user type, by making the following registry modification:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
It may attempt to stop the Windows Security Center from monitoring the affected user's antivirus application:
To subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "AntiVirusOverride"
With data: "1"
Trojan:Win32/Opachki.C may attempt to stop the Windows Security Center from monitoring the firewall by making the following registry modifications:
To subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "FirewallOverride"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "FirewallOverride"
With data: "1"
It may attempt to disable firewall notifications from the Windows Security Center:
To subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "FirewallDisableNotify"
With data: "1"
Trojan:Win32/Opachki.C may attempt to stop the Windows Security Center from displaying security alert notifications by making the following registry modifications:
To subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "UacDisableNotify"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "UacDisableNotify"
With data: "1"
It may also attempt to stop the Windows Security Center from displaying automatic alerts:
To subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "UpdatesDisableNotify"
With data: "1"
Removes system restore points
Trojan:Win32/Opachki.C attempts to remove all previous system restore points and therefore prevent the system from being restored to a pre-infection state.
Backdoor functionality
Trojan:Win32/Opachki.C periodically contacts a remote server, which may issue it with one or more commands. These commands may include:
• Download an arbitrary file to the %TEMP% directory, and execute it
• Change the interval between attempts to contact the backdoor’s server
• Change the decryption key for downloaded commands
Variants of Trojan:Win32/Opachki have been observed downloading components of the Win32/Alureon family, malware that attempts to steal the user’s FTP passwords, and fake antivirus software such as Rogue:Win32/FakeRean.
When first contacting the remote server, the malware may send various items of system information, such as the computer name, locations of various directories, and version numbers of the operating system and Internet Explorer.
Examples of servers used at the time of publication include the following:
- Justslonka.com
- Sweetcandy.biz
- Osdad.com
- Blader1.co.cc
- Blader2.co.cc
- Dscodec.com
Additional information
Trojan:Win32/Opachki.C may store configuration information in some of the following files in the %USERPROFILE% directory:
- cz.dat
- bkurl.dat
- podmenabkurl.dat
- as.dat
- asr.dat
And in the following registry value:
HKCU\Software\Microsoft\adver_id
Analysis by David Wood