This memory-resident backdoor arrives on a system as an attachment in spammed email messages. It may also arrive as a dropped or downloaded file from a remote malicious user. Upon execution, this backdoor drops a copy of itself in the Windows system folder.This backdoor uses Digital Rights Management (DRM) Software, which is a form of rootkit technology, in an attempt to hide malware-related files, folders, and processes.
Effects:
- This backdoor creates the mutex, $sys$drv.exe, to ensure that only one instance of itself runs in the affected system's memory.
- It hides all the malware related files, folders and processes.
- It bypasses the firewall settings of the affected system by running a certain command that will prevents this backdoor from being blocked by system firewall to enable its routines normally.
- This backdoor randomly connects to any of the following remote Internet Relay Chat (IRC) servers:
24.210.44.45
67.171.67.190
35.10.203.93
152.7.24.186
- It opens TCP port 8080 and joins the IRC channel #sony, where it receives and performs commands from a remote malicious user.Some of the commanda include delete files, This routine effectively compromises system security and increases the risk of further attacks on the affected system.
- It creates following registry entries to enable its auto execution
HKEY_CURRENT_USER\Software\Software\Microsoft\Windows\CurrentVersion\Run
$sys$drv = "$sys$drv.exe"
When it arrives as an attachment in spam email, it will have following text in it:
From:
•TotalBusiness
Subject:
•Requesting Photo Approval
Attachments: (Any of the following)
•article_december_3621.exe
•Photo+Article.exe
Message body:
Hello,
Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here.
Removal :
Removal of tool involves advanced trouble shooting.
Step 1: Disable System Restore
Step 2: Open Task Manager and search for the process $SYS$DRV.EXE and delete it
Step 3: Take a backup of Registry first
Step 4: Delete the following registry entries that have been created for automatic start up
- In the left panel look for HKEY_LOCAL_MACHINE>Software>Microsoft\Windows\CurrentVersion\Run
- In the right panel, locate and delete the entry:
$sys$drv = "$sys$drv.exe" - In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft\Windows\CurrentVersion\Run
- In the right panel, locate and delete the entry:
$sys$drv = "$sys$drv.exe"
0 comments:
Post a Comment