Backdoor.Win32.Gbot.ggb

From Total Malware Info

Backdoor provides cybercriminals with remote access to an infected computer. It is Windows (PE-EXE) file. It is 193124 bytes in size. It is written in С++.

MD5: 7D346E1BF063B57C547CB031CC5ACB7F

SHA1: 73A1158CC70BA100999E3CB32A8AC2629E72F190

Installation

Once launched, the backdoor copies its body to a file:

%Temp%\csrss.exe

To launch the created copy automatically each time the system starts up it adds a reference to itself to the system registry:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Load"="%Temp%\csrss.exe "

Payload

To control the uniqueness of its process the backdoor creates a unique identifier with the following names:

{5D92BB9F-9A66-458f-ACA4-66172A7016D4}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{CH5B35993-9674-43cd-8AC7-5BC5013E617B}
{HC0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
{B5B35993-9674-43cd-8AC7-5BC5013E617B}
{A5B35993-9674-43cd-8AC7-5BC5013E617B}
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{CH5BCA615-C82A-4152-8857-BCC626AE4C8D}
{HC3B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{45BCA615-C82A-4152-8857-BCC626AE4C8D}
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{C66E79CE-8935-4ed9-A6B1-4983619CB925}

Then malware creates a file with the name:

%Documents and Settings%\%Current User%\Application Data\<xxx>.<zzz> – it is 600 bytes in size.

where

xxx – a random alphanumeric sequence,

zzz – a random combination of digits.

This file stores the basic backdoor settings. Next the trojan creates a link which downloads the file. The link is formed as follows:

http://<server_domain_name>/<path _to_file>/<parameters>

where

• server_domain_name:

booko*****catalog.com
freet*****iconline.com
sepa*****ilkandtee.com
high*****dbsearch.com
cata*****urcecodes.com
mobil*****sonlines.com
onlin*****uostore4you.com
nomo*****scat.com
lapo*****pia.com
fre*****sdb.com
sslpr*****mingshool.com
ddos*****eonline.com
samb*****ubonline.com
hl*****oz.com

• path_to_file:

blog/images/3521.jpg
blog/images/3522.jpg
blog/images/3523.jpg

• parameters:

v<decimal_number>=< decimal_number >&tq=<encrypted_data>

The downloaded files are stored under the names:

%Documents and Settings%\%Current User%\Application Data\Microsoft\conhost.exe – it is174592 bytes in size and detected by Kaspersky Antivirus as Backdoor.Win32.Gbot.grx
%Documents and Settings%\%Current User%\Application Data\dwm.exe – it is 185856 bytes in size and detected by Kaspersky Antivirus as Backdoor.Win32.Gbot.grx

After that the trojan runs the downloaded files with the following parameters:

Start %Documents and Settings%\%Current User%\Application Data\Microsoft\conhost.exe %%Documents and Settings%\%Current User%\Application Data\Microsoft,<path_to_original_backdoor_file>

Start %Documents and Settings%\%Current User%\Application Data\dwm.exe%%Documents and Settings%\%Current User%\Application Data, %Documents and Settings%\%Current User%\Application Data\Microsoft

To ensure that the copy created is launched automatically each time the system is rebooted, the following registry keys are created:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] 
"conhost" = "%Documents and Settings%\%Current User%\Application Data\Microsoft\conhost.exe"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 
"Shell" = "explorer.exe, %Documents and Settings%\%Current User%\Application Data\dwm.exe"

Sends an HTTP request "POST" with encrypted information about the infected system to an attacker’s server:

zo***g.com/index.html?tq=<encrypted_information>

Also it attempts to download malicious files by the following links:

http://mo*****om.at/polytheism/pictures/TanzenderShiva.jpg
http://cr*****afdesign.com/blog/images/share/stumble.png
http://cr*****afdesign.com/blog/images/share/facebook.png
http://rea*****waredevelopment.com/WindowsLiveWriter/web-2_0_thum
http://g*****ar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbc
http://f*****o.com/wp-content/uploads/2010/09/web-20-what-is-300x251.jpg
http://p**k.com/img/icons/twitter.png
http://p**k.com/img/icons/facebook.png
http://he*****lifenow.com/templates/7348/images/header_logo.jpg
http://he*****lifenow.com/templates/7349/images/header_logo.jpg
http://hol*****ndbarrett.com/images/footer/account.jpg
http://hol*****ndbarrett.com/images/footer/account.gif
http://nat*****utoelectric.com/images/50-217-1_F_1_.jpg
http://nat*****utoelectric.com/images/50-217-1_F_2_.jpg
http://onl*****zdirectory.com/images/PowerShowBanner.gif
http://onl*****zdirectory.com/images/PowerHideBanner.gif
http://los*****aganda.net/blog/pics/3321.jpg
http://los*****aganda.net/blog/pics/3322.jpg
http://jap*****greenteaonline.com/assets/images/greentea-cha-1.gif
http://jap*****greenteaonline.com/assets/images/greentea-cha-2.gif
http://gre*****balteaonline.com/images/greenherbalteagirlholdingcup250.gif
http://gre*****balteaonline.com/images/greenherbalteagirlholdingcup350.gif
http://onl*****stitute.com/g7/images/logo.jpg
http://onl*****stitute.com/g7/images/logo2.jpg
http://onl*****stitute.com/g7/images/logo3.jpg
http://onl*****stitute.com/g7/images/logo4.jpg
http://onl*****tingsecretfriends.com/images/im133.jpg
http://onl*****tingsecretfriends.com/images/im134.jpg

The downloaded files are stored in the temporary files folder of the current user:

%Temp%\<rnd>.tmp

where <rnd> - is a whole decimal number. The trojan opens a random TCP port to get a remote access to infected system, for example, "57414", "57455" or "62202." HTTP proxy server is created at the same port:

127.0.0.1:<port_number>

To change the settings in Internet Explorer the trojan modifies the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000001
"ProxyServer"="http=127.0.0.1:<port_number>"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings"=<address_of _proxy _ in_hex>
"SavedLegacySettings"=<address_of_proxy_in_hex>

It attempts to disrupt antivirus applications:

AVG
Avira
Dr.Web
Norton
Symantec
Avast
McAfee
ESET NOD32
Kaspersky
BitDefender
Windows Defender

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Using Task Manager terminate the trojan processes:

conhost.exe
dwm.exe

2. Delete the registry keys in system registry:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Load"="%Temp%\csrss.exe "

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] 
"conhost" = "%Documents and Settings%\%Current User%\Application Data\Microsoft\conhost.exe " 

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 
"Shell" = "explorer.exe, %Documents and Settings%\%Current User%\Application Data\dwm.exe "

3. Restore original values of the keys in system registry:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 
"Shell" = "explorer.exe, %Documents and Settings%\%Current User%\Application Data\dwm.exe"

to:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 
"Shell" = "explorer.exe"

4. Delete files:

%Documents and Settings%\%Current User%\Application Data\<xxx>.<zzz>

where

xxx – a random alphanumeric sequence,

zzz – a random combination of digits.

%Temp%\csrss.exe
%Documents and Settings%\%Current User%\Application Data\Microsoft\conhost.exe
%Documents and Settings%\%Current User%\Application Data\dwm.exe

5. Clear the Temporary Internet Files folder, that may contain infected files.

6. Disable proxy in Internet browser.

7. Perform a full system scan with an antivirus with updated databases.