1. /
  2. Security Response/
  3. Backdoor.Ryknos

Backdoor.Ryknos

Risk Level 2: Low

Discovered:
November 10, 2005
Updated:
November 10, 2005 11:01:57 PM
Infection Length:
10,240 bytes
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Backdoor.Ryknos is a Trojan horse with back door capabilities.

Analysis revealed that W32.Looksky.B (MCID 6121) and Backdoor.Ryknos are similar in construction with the major difference appearing to be the exploitation of SecurityRisk.First4DRM by Backdoor.Ryknos.

Once executed, the Trojan copies itself as the following file:
%System%\$sys$drv.exe

The Trojan will not be installed if the compromised computer has the XCP software present, which is itself installed when inserting some Sony BMG content-protected music CDs.

However, if the XCP software is installed after the Trojan, then this software will hide the copy of the Trojan file and the registry subkey it creates.

The Trojan then creates one of the following mutexes, so that only one instance of it runs on a compromised computer at any one time:
SonyEnabled
$sys$drv.exe

Next, the Trojan creates the following registry entry:
HKEY_CURRENT_USER\WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj\"$sys$drv" = "$sys$drv.exe"

As a result of a code bug, the Trojan will attempt, and fail, to create a registry subkey under the following subkey:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Run

Next, the Trojan attempts to send a notification message to a predetermined IP address, using TCP port 8080.

The Trojan also attempts to add itself as a trusted application to the Windows Firewall.

The Trojan provides back door capabilities by connecting to the IRC channel #sony and listening for commands.

These commands can allow a remote attacker to perform any of the following actions:
Send sensitive information, such as the host and user name, operating system version, and IP address
Download and execute remote files

The Trojan contacts the following Web site and attempts to download a file which has been detected as a W32.Looksky.B (MCID 6121) variant:

http://playtimepiano.home.comcast.net/bk.exe
Writeup By: Elia Florio
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver