- November 10, 2005
- November 10, 2005 11:01:57 PM
- 10,240 bytes
- Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Backdoor.Ryknos is a Trojan horse with back door capabilities.
Analysis revealed that W32.Looksky.B (MCID 6121) and Backdoor.Ryknos are similar in construction with the major difference appearing to be the exploitation of SecurityRisk.First4DRM by Backdoor.Ryknos.
Once executed, the Trojan copies itself as the following file:
The Trojan will not be installed if the compromised computer has the XCP software present, which is itself installed when inserting some Sony BMG content-protected music CDs.
However, if the XCP software is installed after the Trojan, then this software will hide the copy of the Trojan file and the registry subkey it creates.
The Trojan then creates one of the following mutexes, so that only one instance of it runs on a compromised computer at any one time:
Next, the Trojan creates the following registry entry:
HKEY_CURRENT_USER\WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj\"$sys$drv" = "$sys$drv.exe"
As a result of a code bug, the Trojan will attempt, and fail, to create a registry subkey under the following subkey:
Next, the Trojan attempts to send a notification message to a predetermined IP address, using TCP port 8080.
The Trojan also attempts to add itself as a trusted application to the Windows Firewall.
The Trojan provides back door capabilities by connecting to the IRC channel #sony and listening for commands.
These commands can allow a remote attacker to perform any of the following actions:
Send sensitive information, such as the host and user name, operating system version, and IP address
Download and execute remote files
The Trojan contacts the following Web site and attempts to download a file which has been detected as a W32.Looksky.B (MCID 6121) variant:
Writeup By: Elia Florio