Backdoor.Berbew.J

Printer Friendly Page

Discovered: August 24, 2004
Updated: August 24, 2004 1:26:23 PM
Systems Affected: Windows

Backdoor.Berbew.J is a Trojan horse program that attempts to steal cached passwords from a compromised computer. It may also display fake windows to gather confidential information from the user.

Discovered: August 24, 2004
Updated: August 24, 2004 1:26:23 PM
Systems Affected: Windows

Backdoor.Berbew.J is a Trojan horse program that attempts to steal cached passwords from a compromised computer. It may also display fake windows to gather confidential information from the user.

Once executed, the Trojan creates a mutex named "Engel_12", which ensures that only one instance of the Trojan is running on the compromised computer at one time.

Next, the Trojan drops the following files:
%System%\[8 random characters].exe
%System%\[8 random characters].dll

The Trojan may also create the following files, which are used for saving password information and any downloaded configuration data for the Trojan:
%System%\Engl32.dat
%System%\Rtdx1[random number].htm
%System%\engl32.vxd
%System%\Rtdx1[random number].dat
%System%\ccct32.dat

The Trojan then creates several .htm files in the %Temp% directory, named [8 random characters].htm. It may then open these files in Internet Explorer.

The Trojan creates the following registry entry so that it starts when Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebEvent Logger={79ECA078-17FF-726B-E811-213280E5C831}

Next, the Trojan creates the following registry key, which causes %System%\[8 random characters].dll to be called as a browser help object by Internet Explorer:
HKEY_CLASSES_ROOT\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}

It also sets the following values in the registry, which prevent Internet Explorer from asking users if they are sure that they want to submit unencrypted form data:
HKEY_LOCAL_MACHINE\Software\Microsoft\IE4\MGR = "D-REPORTS-[8 random letters]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1601 = 0x0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1601 = 0x0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1601 = 0x0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1601 = 0x0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1601 = 0x0

This Trojan then sets the following registry entry to prevent Internet Explorer from asking users if they wish to work offline when using Internet Explorer and not connected to the Internet:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = 0x0

It then sets the following registry entry to enable Windows Explorer to access the Internet:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BrowseNewProcess = "Yes"

Next, the trojan sets the following registry entries to disable autocomplete in Internet Explorer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AutoComplete\AutoSuggest = Yes
HKEY_CURRENT_USER\Software\Microsoft\Windows\Internet Explorer\Main\Use FormSuggest = Yes
HKEY_CURRENT_USER\Software\Microsoft\Windows\Internet Explorer\Main\FormSuggest Passwords = Yes
HKEY_CURRENT_USER\Software\Microsoft\Windows\Internet Explorer\Main\FormSuggest PW Ask = Yes

This Trojan then collects passwords from the compromised system and intercepts data entered into forms in Internet Explorer.

The Trojan opens a rootshell on TCP port 23232 and an FTP server on TCP port 32121. It also opens back doors on TCP ports 12065 and 28253.

The Trojan then sends the stolen information to a remote attacker.

Additionally, it may upload configuration data through the web to a URL in the domain pidorasam.net.