BackDoor.Gbot.2938

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'vxA0ucS2iFp6W8R8234A' = '<SYSTEM32>\AV Protection 2011v121.exe'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'eEL9gTZqjCkVzNx' = '%APPDATA%\dwme.exe'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'hl0GasWIrP5Qd8P8234A' = '%APPDATA%\BonF4pmH5EFKf\AV Protection 2011v121.exe'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '36C.exe' = '%ProgramFiles(x86)%\LP\B3ED\36C.exe'

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Security Center
Windows Defender

blocks the following features:

Windows Action Center

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe

Searches for registry branches where third party applications store passwords

[<HKCU>\Software\Far\Plugins\FTP\Hosts]
[<HKCU>\Software\BPFTP\Bullet Proof FTP\Main]
[<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Main]
[<HKCU>\Software\BPFTP\Bullet Proof FTP\Options]
[<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Options]
[<HKCU>\Software\BPFTP]
[<HKCU>\Software\TurboFTP]
[<HKCU>\Software\Sota\FFFTP]
[<HKCU>\Software\Sota\FFFTP\Options]
[<HKCU>\Software\CoffeeCup Software\Internet\Profiles]
[<HKCU>\Software\FTPWare\COREFTP\Sites]
[<HKCU>\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224]
[<HKCU>\Software\VanDyke\SecureFX]
[<HKCU>\Software\Cryer\WebSitePublisher]
[<HKLM>\Software\Wow6432Node\NCH Software\ClassicFTP\FTPAccounts]
[<HKCU>\Software\NCH Software\ClassicFTP\FTPAccounts]
[<HKCU>\SOFTWARE\NCH Software\Fling\Accounts]
[<HKLM>\SOFTWARE\Wow6432Node\NCH Software\Fling\Accounts]
[<HKCU>\Software\FTPClient\Sites]
[<HKLM>\Software\Wow6432Node\FTPClient\Sites]
[<HKCU>\Software\SoftX.org\FTPClient\Sites]
[<HKLM>\Software\Wow6432Node\SoftX.org\FTPClient\Sites]
[<HKCU>\Software\Martin Prikryl]
[<HKLM>\Software\Wow6432Node\Martin Prikryl]
[<HKLM>\Software\FileZilla Client]
[<HKCU>\Software\South River Technologies\WebDrive\Connections]
[<HKLM>\Software\Wow6432Node\FileZilla Client]
[<HKLM>\Software\Wow6432Node\FileZilla]
[<HKCU>\Software\Far2\Plugins\FTP\Hosts]
[<HKCU>\Software\Far\SavedDialogHistory\FTPHost]
[<HKCU>\Software\Far2\SavedDialogHistory\FTPHost]
[<HKCU>\Software\Ghisler\Windows Commander]
[<HKCU>\Software\Ghisler\Total Commander]
[<HKLM>\Software\Wow6432Node\Ghisler\Windows Commander]
[<HKLM>\Software\Ghisler\Windows Commander]
[<HKLM>\Software\Wow6432Node\Ghisler\Total Commander]
[<HKLM>\Software\Ghisler\Total Commander]
[<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar]
[<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar]
[<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar]
[<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar]
[<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar]
[<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar]
[<HKCU>\Software\FlashFXP\3]
[<HKCU>\Software\FlashFXP]
[<HKLM>\Software\Wow6432Node\FlashFXP\3]
[<HKLM>\Software\FlashFXP\3]
[<HKLM>\Software\Wow6432Node\FlashFXP]
[<HKLM>\Software\FlashFXP]
[<HKCU>\Software\FileZilla]
[<HKCU>\Software\FileZilla Client]
[<HKLM>\Software\FileZilla]
[<HKLM>\Software\Wow6432Node\South River Technologies\WebDrive\Connections]

Reads files which store third party applications passwords

%APPDATA%\mozilla\firefox\profiles.ini

Modifies file system

Creates the following files

%TEMP%\ooc620c.tmp
%APPDATA%\nbzjrrudwfjcmse\av protection 2011.ico
%APPDATA%\ldr.ini
%ProgramFiles(x86)%\lp\b3ed\4299.tmp
%APPDATA%\d891c\c1b1.891
%ProgramFiles(x86)%\lp\b3ed\36c.exe
%TEMP%\foif7b9.tmp
%TEMP%\foif7b8.tmp
%TEMP%\oocf7a7.tmp
%TEMP%\oocf44b.tmp
%TEMP%\oocf43a.tmp
%APPDATA%\bonf4pmh5efkf\av protection 2011v121.exe
%TEMP%\foi9df0.tmp
%TEMP%\foi9de0.tmp
%TEMP%\ooc9ddf.tmp
%TEMP%\ooc9d70.tmp
%TEMP%\ooc9d6f.tmp
%APPDATA%\dwme.exe
%TEMP%\dwme.exe
%WINDIR%\syswow64\av protection 2011v121.exe
%TEMP%\foi6404.tmp
%TEMP%\foi6403.tmp
%TEMP%\ooc63f3.tmp
%TEMP%\ooc620d.tmp
%APPDATA%\microsoft\windows\start menu\programs\av protection 2011\av protection 2011.lnk
%HOMEPATH%\desktop\av protection 2011.lnk

Deletes the following files

%TEMP%\ooc620c.tmp
%TEMP%\ooc620d.tmp
%TEMP%\ooc63f3.tmp
%TEMP%\foi6403.tmp
%TEMP%\foi6404.tmp
%TEMP%\ooc9d6f.tmp
%TEMP%\ooc9d70.tmp
%TEMP%\ooc9ddf.tmp
%TEMP%\foi9de0.tmp
%TEMP%\foi9df0.tmp
%TEMP%\oocf43a.tmp
%TEMP%\oocf44b.tmp
%TEMP%\oocf7a7.tmp
%TEMP%\foif7b8.tmp
%TEMP%\foif7b9.tmp
%WINDIR%\syswow64\av protection 2011v121.exe

Modifies the HOSTS file.

Network activity

TCP

HTTP GET requests

http://ar####dlegion.com/305986.png?pr#########################################
http://google.com/

UDP

DNS ASK gi####oolstome.com
DNS ASK ar####dlegion.com
DNS ASK google.com
DNS ASK pi####ewonline.com
DNS ASK li###klubs.com

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''
ClassName: 'a' WindowName: 'dc'
ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''
ClassName: 'SystemTray_Main' WindowName: ''
ClassName: 'Media Center Tray Applet' WindowName: ''
ClassName: 'BluetoothNotificationAreaIconWindowClass' WindowName: 'BluetoothNotificationAreaIconWindowClass'
ClassName: 'BluetoothNotificationAreaIconWindowClass' WindowName: ''

Creates and executes the following

'%TEMP%\dwme.exe'
'%APPDATA%\dwme.exe' auto
'%WINDIR%\syswow64\av protection 2011v121.exe' Protection 2011v121.exe 5985<Full path to file>
'%APPDATA%\bonf4pmh5efkf\av protection 2011v121.exe' Protection 2011v121.exe 5985%WINDIR%\SysWOW64\AV Protection 2011v121.exe
'%APPDATA%\dwme.exe' start%APPDATA%\D891C\9D9B3.exe%%APPDATA%\D891C
'%ProgramFiles(x86)%\lp\b3ed\4299.tmp'
'%APPDATA%\dwme.exe' start%ProgramFiles(x86)%\1C1B1\lvvm.exe%%ProgramFiles(x86)%\1C1B1

Executes the following