January 26, 2011

Backdoor BREPLIBOT.C


This memory-resident backdoor arrives on a system as an attachment in spammed email messages. It may also arrive as a dropped or downloaded file from a remote malicious user. Upon execution, this backdoor drops a copy of itself in the Windows system folder.This backdoor uses Digital Rights Management (DRM) Software, which is a form of rootkit technology, in an attempt to hide malware-related files, folders, and processes.


Effects:
  • This backdoor creates the mutex, $sys$drv.exe, to ensure that only one instance of itself runs in the affected system's memory.
  • It hides all the malware related files, folders and processes.
  • It bypasses the firewall settings of the affected system by running a certain command that will prevents this backdoor from being blocked by system firewall to enable its routines normally.
  • This backdoor randomly connects to any of the following remote Internet Relay Chat (IRC) servers:
                                   68.101.14.76
                                   24.210.44.45
                                   67.171.67.190
                                   35.10.203.93
                                  152.7.24.186
  •  It opens TCP port 8080 and joins the IRC channel #sony, where it receives and performs commands from a remote malicious user.Some of the commanda include delete files,  This routine effectively compromises system security and increases the risk of further attacks on the affected system. 
  • It creates  following registry entries to enable its auto execution
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run            $sys$drv = "$sys$drv.exe"
HKEY_CURRENT_USER\Software\Software\Microsoft\Windows\CurrentVersion\Run 
           $sys$drv =  "$sys$drv.exe"


When it arrives as an attachment in spam email, it will have following text in it:

 From:
•TotalBusiness

Subject:
•Requesting Photo Approval

Attachments: (Any of the following)
•article_december_3621.exe
•Photo+Article.exe

Message body:
Hello,

Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here.

Removal :
Removal of tool involves advanced trouble shooting.
Step 1: Disable System Restore
Step 2: Open Task Manager and search for the process $SYS$DRV.EXE and delete it
Step 3: Take a  backup of Registry first
Step 4: Delete the following registry entries that have been created for automatic start up

  1. In the left panel look for HKEY_LOCAL_MACHINE>Software>Microsoft\Windows\CurrentVersion\Run 
  2. In the right panel, locate and delete the entry:
    $sys$drv = "$sys$drv.exe"
  3. In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft\Windows\CurrentVersion\Run
  4. In the right panel, locate and delete the entry:
    $sys$drv = "$sys$drv.exe" 

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More