Backdoor.Nibu.M is a Trojan horse that opens a back door on a compromised computer and blocks access to security-related Web sites. It also runs a keylogger, periodically sending the stolen information to a remote attacker.
Once Backdoor.Nibu.M is executed, it performs the following actions:
1. Creates the following files:
* %System%\winldra.exe
* %Windir%\dvpd.dll
* %Windir%\prntsvra.dll
* %Windir%\TEMP\fe43e701.tmp
Note:
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
2. Adds the value:
"load32" = "%System%\winldra.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it is executed everytime Windows starts.
3. Creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\SARS
which contains configuration information.
4. Sends information about the compromised computer using the HTTP GET method to:
[http://]220953.ds.nac.net/[REMOVED]/logger.php
5. Captures browser window titles and keystrokes typed into windows with the following strings:
* anz
* ANZ
* Bank
* bank
* bet
* Bet
* bill
* Bill
* bookmak
* Bookmak
* bull
* Bull
* cash
* casino
* Casino
* ebay
* e-metal
* Fethard
* fethard
* fund
* Fund
* gold
* invest
* Invest
* Keeper
* login
* Login
* member
* Member
* Money
* money
* mull
* pay
* Pay
* Pay
* Pal
* shop
* Shop
* Storm
* WM Keeper
6. Monitors Internet Explorer for data submitted in Web forms and logs this information to one of the following files:
* %Windir%\netdx.dat
* %Windir%\cmdid.dat
* %Windir%\socks.dat
* %Windir%\prntk.log
7. Attempts to steal the following kinds of information:
* FAR Manager passwords
* FTP Commander passwords
* Bat email passwords
* Protected storage data
* IP address of the infected computer
* Operating system version
* Internet Explorer version
8. Launches a thread that monitors the clipboard, saving any data found into the following log file:
%Windir%\prntc.log.
9. Periodically checks the size of the files it uses for logging stolen information. When the files reach a certain size, the stolen information is sent using the Trojan's own SMTP engine.
10. Listens on TCP port 48094 for further instructions from a remote attacker.
11. Blocks access to several security-related Web sites by adding the following text to the hosts file:
127.0.0.1
www.trendmicro.com 127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1
www.nai.com 127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1
www.my-etrust.com 127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1
www.ca.com 127.0.0.1 networkassociates.com
127.0.0.1
www.networkassociates.com 127.0.0.1 avp.com
127.0.0.1
www.kaspersky.com 127.0.0.1
www.avp.com 127.0.0.1 kaspersky.com
127.0.0.1
www.f-secure.com 127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1
www.viruslist.com 127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1
www.mcafee.com 127.0.0.1 sophos.com
127.0.0.1
www.sophos.com 127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 us.mcafee.com/root/
127.0.0.1
www.symantec.com REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.nibu.m.htmlTo delete the value from the registry 1. Click Start > Run.
2. Type regedit
3. Click OK.
4. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
5. In the right pane, delete the value:
"load32" = "%System%\winldra.exe"
6. Delete the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\SARS
7. Exit the Registry Editor.
AlphaOne Technology Support Forums
Author
Logged
