Backdoor.Berbew.O

Printer Friendly Page

Discovered: January 24, 2005
Updated: January 24, 2005 1:34:55 PM
Systems Affected: Windows

Backdoor.Berbew.O is a Trojan horse program that steals passwords from a compromised computer. The Trojan opens a back door and allows a remote attacker to have unauthorized access to the compromised computer. The Trojan also attempts to lower security settings in Internet Explorer.

Discovered: January 24, 2005
Updated: January 24, 2005 1:34:55 PM
Systems Affected: Windows

Backdoor.Berbew.O is a Trojan horse program that steals passwords from a compromised computer. The Trojan opens a back door and allows a remote attacker to have unauthorized access to the compromised computer. The Trojan also attempts to lower security settings in Internet Explorer.

When Backdoor.Berbew.O is executed, it creates the following files:
%System%\[8 random characters].dll
%System%\[8 random characters].dll
%System%\[6 random characters]32.exe

The Trojan creates several copies of the following randomly named file:
%Temp%\[8 random characters].htm

Next, the Trojan may open the aforementioned .htm files in a hidden Internet Explorer window.

The Trojan sets the following values in the registry so that it is executed every time Windows starts:
HKEY_CLASSES_ROOT\CLSID\{7CFBACFF-EE01-1231-ABDD-416592E5D639}\"InProcServer32" = "[random name].dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad\"Web Event Logger" = "{7CFBACFF-EE01-1231-ABDD-416592E5D639}"

The Trojan also modifies the following registry entries in an attempt to lower the security settings in Internet Explorer:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\"1601" = "0"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\"1601" = "0"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"1601" = "0"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1601" = "0"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1601" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"GlobalUserOffline" = "0"

The Trojan then creates the following registry entry as an infection marker:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IE4\"MGR" = "[random string]"

Next, the Trojan opens a back door on a random port. This allows the remote attacker to have unauthorized access to the compromised computer. It also allows the compromised computer to be as a covert proxy.

The Trojan steals passwords from the compromised computer and the installed keylogger intercepts data entered into forms in Internet Explorer.

The Trojan passes the stolen information to the attacker by sending query strings to the following web site:
www.soplitekut.com

The Trojan uses rootkit technology to hide the processes and files associated with itself.