Backdoor:Win32/Refpron.F is a backdoor trojan that may perform activities such as downloading and executing arbitrary files, deleting files, terminating files, and sending system information to a remote server. It may download components that allow it to collect per-click advertising revenue from other websites.
Installation
Backdoor:Win32/Refpron.F is typically installed by another piece of malware. It has been observed in the wild being installed to the System directory of affected machines by variants of Trojan:Win32/Refpron (such as
Trojan:Win32/Refpron.gen).
It copies the clean system file <system folder>\urlmon.dll to %temp%\mtaw<5-6 random digits>.dll.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It extracts a user ID from <system folder>\comsa32.sys (which may have been written by a variant of Trojan:Win32/Refpron), encrypts it, and writes the encrypted value to the following registry entry:
HKLM\Software\Microsoft\uid
Payload
Modifies System Settings
The malware makes a number of changes to registry settings in order to facilitate its activities, or to reduce the likelihood of these activities being noticed by the affected user. These changes include:
Under key: HKCU\AppEvents\Schemes\Apps\.Default\SystemExclamation\
Sets value: .Current
With data: “”
This prevents any warning sound from being played when an event occurs that would normally trigger a system alert.
Under key: HKCU\Software\Microsoft\Internet Explorer\Main\
Sets value: Disable Script Debugger
With data: "yes"
Sets value: DisableScriptDebuggerIE
With data: "yes"
Sets value: Error Dlg Displayed On Every Error
With data: "no"
Sets value: Play_Animations
With data: "no"
Sets value: Play_Background_Sounds
With data: "no"
Sets value: Display Inline Videos
With data: "no"
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Sets value: WarnOnZoneCrossing
With data: 0
Sets value: WarnOnPostRedirect
With data: 0
Sets value: WarnonBadCertRecving
With data: 0
Sets value: WarnOnHTTPSToHTTPRedirect
With data: 0
Sets value: WarnOnPost
With data: 00 00 01 00
The following registry change prevents language pack installations:
Under key: HKCU\Software\Microsoft\Internet Explorer\International\
Sets value: W2KLpk
With data: 0
The following registry changes modify Internet Explorer’s permissions for web sites in the “Internet” zone. Each numeric value name represents a particular permission that may be enabled or disabled. A setting of 0 generally allows a particular action, 3 prohibits the action, and 1 prompts the user to allow the action.
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\
Sets value: 1001
With data: 0
Permission setting: Download signed ActiveX controls
Sets value: 1206
With data: 0
Permission setting: Allow scripting of Internet Explorer Web browser control
Sets value: 1400
With data: 0
Permission setting: Active scripting
Sets value: 1402
With data: 0
Permission setting: Scripting of Java applets
Sets value: 1405
With data: 0
Permission setting: Script ActiveX controls marked as safe for scripting
Sets value: 1406
With data: 0
Permission setting: Access data sources across domains
Sets value: 1407
With data: 0
Permission setting: Allow Programmatic clipboard access
Sets value: 1601
With data: 0
Permission setting: Submit non-encrypted form data
Sets value: 1604
With data: 1
Permission setting: Font Download
Sets value: 1605
With data: 3
Permission setting: Run Java
Sets value: 1606
With data: 0
Permission setting: Userdata Persistence
Sets value: 1607
With data: 0
Permission setting: Navigate Sub-Frames Across Domains
Sets value: 1608
With data: 0
Permission setting: Allow META REFRESH
Sets value: 1609
With data: 0
Permission setting: Display Mixed Content
Sets value: 1800
With data: 3
Permission setting: Installation of desktop items
Sets value: 1802
With data: 0
Permission setting: Drag and drop or copy and paste files
Sets value: 1803
With data: 0
Permission setting: File Download
Sets value: 1804
With data: 0
Permission setting: Launching programs and files in an IFRAME
Sets value: 1805
With data: 0
Permission setting: Launching programs and files in webview
Sets value: 1806
With data: 3
Permission setting: Launching applications and unsafe files
Sets value: 1809
With data: 0
Permission setting: Use Pop-up Blocker
Sets value: 1A02
With data: 0
Permission setting: Allow persistent cookies that are stored on your computer
Sets value: 1A03
With data: 0
Permission setting: Allow per-session cookies (not stored)
Sets value: 1A05
With data: 0
Permission setting: Allow 3rd party persistent cookies
Sets value: 1A06
With data: 0
Permission setting: Allow 3rd party session cookies
Sets value: 1C00
With data: 0
Permission setting: Java Permissions
Sets value: 2200
With data: 3
Permission setting: Automatic prompting for file downloads
Sets value: 2201
With data: 3
Permission setting: Automatic prompting for ActiveX controls
It also attempts to stop the “Indexing Service”.
Backdoor Functionality
Once installed, the malware periodically attempts to contact a number of servers. At the time of publication, several variants have been observed to contact the following:
Bfkq.com
74.54.201.210
74.54.89.66
Jsactivity.com
74.55.37.210
It sends filename and version information regarding itself to each of these servers. Servers that are available respond with a location from where further files can be downloaded, and parameters for various activities that the backdoor’s controller wishes to be performed.
These activities are discussed in the following sections.
Downloads and Executes Arbitrary Files
The backdoor’s controller provides a list of files to download, and the most recent version number of each of these files. If that file is not already present, or if there is a newer version available, the backdoor contacts a location previously supplied by the server, and attempts to download the requested file. If this attempt fails, it may instead attempt to download from one of a number of predefined alternative locations. Several variants around the time of publication were observed to use the following:
74.54.201.210
74.54.89.66
cooleezq6.vicp.net
cnwebmastersblog.com
Downloaded files are temporarily saved to <system folder>\tmp0_<12 random digits>bk, before being moved to the System directory and executed.
Files downloaded have included multiple slightly different variants of Trojan:Win32/Refpron, and updated variants of Backdoor:Win32/Refpron.F. Other files have also been requested but these did not appear to be available at the time of publication.
Trojan:Win32/Refpron variants are run with command line options to install the malware, and then a separate command is issued to start them as services.
Several variants of Backdoor:Win32/Refpron.F have been observed to use the following filenames for the Trojan:Win32/Refpron variants they install:
Afinding .exe
Wserving.exe
routing.exe
perfs.exe
Nobicyt.exe
All five of these are run at the same time in order to reduce the likelihood of the service being detected and removed. If these components were previously installed on the system, and have not been updated, the malware will restart their services if these were not running already.
Several variants also download a TrojanClicker component to the System directory. Some have been observed to use the filename 'cexwxfst.sys'. This file may be detected as
TrojanClicker:Win32/Refpron.A or similar. It is not executed immediately, but may be executed later on the backdoor controller's command (see below for more details).
Deletes Files
The backdoor’s controller may request that certain files be deleted. In one example, observed around the time of publication, the following files were targeted for deletion:
<system folder>\adcklog.dat
<system folder>\getlog.txt
<system folder>\ndt2.txt
<system folder>\perfs.txt
<system folder>\perfsstxt
<system folder>\routing.txt
%windir%\test_winnt.txt
Terminates Processes
Certain files may also be targeted to have their processes terminated. In one observed example, the following files were targeted in this manner:
ctfmon.exe
wuauclt.exe (Windows Update)
Visits Websites
The backdoor’s controller may provide a list of websites to visit, and search terms and other parameters to use when doing so. This may be in order to collect per-click advertising revenue. The malware saves the details of each requested web site to %windir%\Install.txt or <system folder>\Install.txt. An example of the contents of one of these files is shown below:
fid=348
ftype=park
portal=http://www.overtravel.net/*****/*****.php?ref=176
adlink=*****.php?
click=*****.php?
isHits=1
ctr=100
subtype=ds
imgsrc=100
ahref=100
nrnd=24
nrndforctr1=59
nrndforctr2=97
iprange=1111111111111111111111111111111111111111
useips=ALL
It then launches the TrojanClicker component described above, which reads the contents of the file, and uses these details to visit the requested site.
It may also visit these websites directly without using the TrojanClicker component.
Sends System Information
The backdoor may be commanded to send system information, including the following:
Running processes and their process IDs
TCP sockets on the system listening on any of ports 25, 110, 443, 445, 139, 135 and 3389
The status of various Refpron components(eg running/not running/deleted) and the antivirus products present on the system that may have removed them.
It recognizes particular antivirus products by searching for files that are associated with them. The files targeted in this way may be specified by the backdoor’s controller. One observed example used the following list of files:
aswServ.exe (avast)
avguard.exe (avira)
avp.exe (kaba)
ClamWin.exe (Clam)
F-Sched.exe (F-Prot)
fsgk32st.exe (f-secure)
KAVSvc.EXE (Kaspersky)
guard.exe (avg)
MicroSoft.pif (Microsoft)
nod32krn.exe (nod32)
Ravmond.exe (rising)
Rtvscan.exe (Symantec)
Shstat.exe (McAfee)
Additional Information
The backdoor stores a representation of the time that it was last updated in the registry entry at
HKLM\Software\Microsoft\WBEM\Update.
Systems infected with Refpron variants have been reported to play audio advertisements and other random music.
Analysis by David Wood