Backdoor.Win32.Buterat.cek

From Total Malware Info

It is a malicious program that provides an attacker with remote access to an infected machine. It is a Windows application (PE-EXE file). Its size is 53,248 bytes. It is packed with UPX and an unknown packer. Its unpacked size is about 181 KB. It is written in C++.

MD5: 6BD27CD6F02511AF244EB85FA32BB01F

SHA1: BA245BA6AE566D8D8EC76836835846C8E7815F72

Installation

A copy of the backdoor can be created in the system with one of the following names:

%System%\netprotocol.exe
%APPDATA%\netprotocol.exe

At the same time to counteract the anti-virus signature scanners, 2 bytes are modified in the created copy:

To automatically start the copy every time you start the system backdoor creates the system registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = <path to a created copy>
 
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = <path to a created copy>

Next, the created copy of the malware will be executed.

Payload

Once launched, the backdoor requests settings to configure its further work from an attacker's server. The received data is stored in the file:

%WorkDir%\System.log

In order to identify its presence in the system it creates the system registry key:

[HKLM\Software\Microsoft\Netprotocol]
"UniqueNum" = "<number>"

where <number> - decimal number that is generated based on the current system time.

Backdoor connects to the following servers to receive an attacker's commands:

http://kre****amdx.com/
http://kas****euk.com/
http://cl****na.com/
http://co****.be/

Requests to the attacker's server may have the following format:

- The request for a new attacker's command:

<server>/njob.php?num=%s&rev=%s

- The confirmation of execution of a regular command:

<server>/nconfirm.php?rev=%s&code=%s&param=%s&num=%s
<server>/zconfirm.php?rev=%s&code=%s&site=%s&searches=%s&clicks=%s&adver=%s&num=%s

The backdoor is able to process commands with the following names:

JOB FILE
ZORKASITE
BEGUNFEED
REKLOSOFT
TEASERNET
SUPERPOISK
DIRECTST
LIVINETCH
PARKING
UPDATE
DOWNRUN
PRIORITYHOST
SETSTPAGE
COOKREJCT
DESTROY

Depending on the received commands the backdoor can execute the following actions on the infected system:

• It changes a start page, as well as page of default search engine in the browsers:

Internet Explorer
Opera
Mozilla Firefox

For this purpose it changes the values of the following registry keys:

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://webvolta.ru"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3B}]
"DisplayName" = "Webvolta"
"URL" = "http://webvolta.ru/search.php?q={searchTerms}"

Also the following files can be created:

%System%\operaprefs_fixed.ini

This file contains the following strings:

[User Prefs]
Startup Type = 2
Home URL = http://webvolta.ru

%APPDATA%\Mozilla\Firefox\Profiles\searchplugins\webvolta.xml

This file contains the following strings:

SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/
ShortName
Webvolta
/ShortName
Description
Webvolta search.
/Description
InputEncoding
windows-1251
/InputEncoding
Url type="text/html" method="GET" template="http://webvolta.ru/search.php?
Param name="q" value="{searchTerms}"/
/Url
/SearchPlugin

Also the backdoor can create the file:

%APPDATA%\Mozilla\Firefox\Profiles\<rnd>.default\user.js

with the following contents:

user_pref("dom.disable_window_status_change", false);
user_pref("startup.homepage_override_url", "%s");
user_pref("browser.startup.page", 1);
user_pref("browser.startup.homepage", "%s");
user_pref("browser.search.selectedEngine", "Webvolta");

• It downloads files from the attacker's server and execute them.
• It embeds the java script designed to display ads from the resource "http://begun.ru" in the user-opened HTML-documents.
• It "cheats" sites usage statistics. The backdoor receives retrieval requests and links to resources which ratings are necessary to improve.
• Calling the function "InternetClearAllPerSiteCookieDecisions", it clears the contents of the branch in the registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History]

• Calling the function "InternetSetPerSiteCookieDecisionW", it rejects cookies for the domain "begun.ru".
• It updates its executable from an attacker's server. Additionally, it can download a file that is stored in its working directory as

%WorkDir%\netprotdrvss.exe

Also, the backdoor updates its executable from an attacker's server being launched with the parameter:

/Updatefile3

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Restart the computer in "Safe Mode" (at the beginning of loading press and hold «F8», then select «Safe Mode» at the Windows boot menu).

2. Delete the following files:

%System%\netprotocol.exe
%APPDATA%\netprotocol.exe
%WorkDir%\System.log
%System%\operaprefs_fixed.ini
%APPDATA%\Mozilla\Firefox\Profiles\searchplugins\webvolta.xml
%APPDATA%\Mozilla\Firefox\Profiles\<rnd>.default\user.js
%WorkDir%\netprotdrvss.exe

3. Delete the system registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = <path to a created copy>
 
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = <path to a created copy>
 
[HKLM\Software\Microsoft\Netprotocol]
"UniqueNum" = "<number>"

4. Restore the original registry key values:

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3B}]
"DisplayName"
"URL"

5. Delete the original backdoor's file (its location on the infected computer will depend on how the program originally penetrated the victim machine).

6. Clear the Temporary Internet Files directory, which may contain infected files.

7. Perform a full system scan with an antivirus with updated databases.