Installation
Caphaw.D makes a copy of itself in the %APPDATA% folder, using a file name from an existing, often legitimate, file that it finds in the <system folder>.
with a variable file name, such as any of the following:
- arp.exe
- ckcnv.exe
- cliconfg.exe
- dfrgfat.exe
- gdi.exe
- locator
- lsass.exe
- mshearts.exe
- qwinsta.exe
- sdbinst.exe
- shadow.exe
- slrundll.exe
- spoolsv.exe
- taskkill.exe
- taskman.exe
- taskmgr.exe
- winlogon.exe
- wpabaln.exe
Note that the following legitimate files exist by default in the <system folder>:
- arp.exe
- cliconfg.exe
- lsass.exe
- qwinsta.exe
- sdbinst.exe
- spoolsv.exe
- taskkill.exe
- taskmgr.exe
- winlogon.exe
Alternatively, the trojan has also been observed copying itself as the following file:
c:\windows\system32\lssas.exe
It changes your registry to ensure it runs at each Windows restart:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random CLSID>" (for example, "{81609907-FFED-EC46-7CA6-F8CF6C5B8516}")
With data: "<full installation path>" (for example "%AppData%\adobe\linguistics\dictionaries\adobe custom dictionary\eng\taskman.exe")
Sets value: "LssaShellEx"
With data: "<full installation path> [-reg]" (for example, "c:\windows\system32\lssas.exe")
The malware creates a mutex that matches the random CLSID (for example, 81609907FFEDEC467CA6F8CF6C5B851681609907F81609907). It probably does this to ensure that only one copy of itself is running in your PC at any time.
It injects code into explorer.exe, then deletes itself after it has performed its malicious routine.
Backdoor:Win32/Caphaw.D injects itself into the following processes to try to prevent your security software from detecting and removing it:
- cmd.exe
- DW20.EXE
- ElementClient.exe
- explorer.exe
- fescom.exe
- fsav.exe
- game.exe
- inort.exe
- Kavstart.exe
- mrt.exe
- QQgame.exe
- reader_sl.exe
Spreads via...
Shared folders on the network
Backdoor:Win32/Caphaw.D searches for files with the following extensions in shared folders on your network:
It also searches for Microsoft Office documents, including files with the following extensions:
- .DOC
- .DOCX
- .XLS
- .XLSX
- .PPT
- .PPTX
- .PPS
- .PPSX
When it finds such a file, it copies itself into the file's folder and creates a shortcut to its copy using the file's name. It also sets the "HIDDEN" attribute for the original file. The shortcut file is detected as Backdoor:Win32/Caphaw.D!lnk.
For example, if the trojan found the file Presentation_2012_FINAL.pptx, it hides that file so you cannot see it in Windows Explorer and creates a shortcut file with the name Presentation_2012_FINAL.pptx.lnk.
In this way, you may be lured into clicking the shortcut, mistaking it for the original file. The shortcut will launch a copy of the malware variant along with the original file.
In the wild, we have observed the trojan to be copied with the following file names:
- thumbs.dbh - detected as Backdoor:Win32/Caphaw.D
- thumbs.db2 - detected as Backdoor:Win32/Caphaw.D
- thumbs.dbg - detected as Backdoor:Win32/Caphaw.D
Payload
Allows backdoor access and control
Backdoor:Win32/Caphaw.D tries to communicate, using TCP port 443, to certain servers, such as the following:
- barclays-touchclarity.cc
- dig-services.su
- iguards.cc
- iprotections.su
- main-protec.at
- paragua-store.su
- plc-statistics.su
- some-system.cc
- struc-main.su
- upd-stat.cc
- worldwide-statistics.net
- wprotections.cc
- wprotections.su
Using this backdoor, a hacker can do different things on your PC, like:
- Take control of your PC's desktop, which allows the hacker to see the desktop, and to gain control of the mouse and keyboard
- Access files and folders via an internal FTP server
- Redirect Internet traffic via a proxy server
- Send ICMP (Internet Control Message Protocol) packets that can be used in distributed denial-of-service (DDoS) attacks
- Log and redirect web traffic from Mozilla Firefox and Internet Explorer
- Update itself
- Shut down or restart your PC
Analysis by Hyun Choi