Backdoor:Win32.Poison(Trojan.Win32.Generic!BT)

by alexander.adamov on October 3rd, 2012 in Malware Descriptions.

Platform: Win32
Type: Trojan
Size: 16896 bytes
Language: C++
MD5: 8d326300a6f4dfe93a456c4c185bf2a
SHA1: a01dee0fdb5a752afea044c4e4fe4534ef5a23f6
Aliases : Backdoor:Win32.Poison

Summary

Trojan.Win32.Generic!BT is a Trojan which extracts from itself another malicious program providing the attacker with unauthorized remote access to the infected computer. The Trojan is installed on the system by another malicious program which uses the critical vulnerability CVE-2012-4969.

Technical Details

Payload

Once activated, the Trojan locates its original body in the current user's Windows temporary folder with a randomly generated name:

%Temp%\<rnd>.dat

where <rnd> is a random sequence of numbers, e.g.: "690046".

The Trojan disables Windows System File Checker by ending the threads of the winlogon.exe process which monitor the system file integrity:

The Trojan then replaces the mspmsnsv.dll system library. The mspmsnsv.dll file is a module responsible for providing Microsoft Media Device Service:

%System%\mspmsnsv.dll

The file is 10240 bytes in size and it is detected as Trojan.Win32.Generic!BT by Ad-Aware.

MD5: 3079fc1303afbf709aa715f50fb917f5

SHA1: 8cb9a312974951e0bf89bb9f258ab9bed47c48ba

For the replaced library mspmsnsv.dll, the file creation date and time are the same as for the "%System%\sfc.exe" file.

The Trojan then modifies the value of the WmdmPmSN system service start parameter:

[HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSN]
"Start" ="2"

Thus, the service will start automatically each time Windows starts.

The Trojan then runs the WmdmPmSN service which in its turn runs the modified system library mspmsnsv.dll within the context of svchost.exe. With the help of the library, the Trojan tries to connect to the command server for further performance of the attacker’s command:

ie.aq1.co.uk

When a description was created, the server did not work.

The Trojan body %Temp%\<rnd>.dat is removed next time Windows is booted using the registry key:

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations"
 

Removal Recommendations

  1. Restore the registry key value (How to Work with System Registry):
  2. [HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSN]
    "Start" ="3"

  3. Restore the file:
  4. %System%\mspmsnsv.dll

  5. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).
  6. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).
  7. Install and update:
  8. http://technet.microsoft.com/en-us/security/bulletin/ms12-063