|Detected||Nov 23 2008 18:09 GMT|
|Released||Nov 23 2008 21:39 GMT|
|Published||Mar 24 2011 12:24 GMT|
This Trojan provides a malicious user with remote access to the infected computer. It is a Windows application (PE EXE file). It is 45 780 bytes in size. It is packed using SVKP. It is written in C++.
When it launches, the malware checks for the presence of any system monitors and debuggers running, by referencing device drivers through these links:
\\.\SICE \\.\SIWVID \\.\NTICE \\.\REGSYS \\.\REGVXG \\.\FILEVXG \\.\FILEM \\.\TRW \\.\ICEEXTIt checks whether any process has been launched by a debugger or remote debugger. It also checks the name of the computer for the presence of the following strings:
nepenthes currentuser vmware honey sandboxThe malware ceases running upon detection of even just one of the listed conditions, displaying an error message. Then, the malware copies its executable file, named:
%Program Files%\Common Files\System\molox.exeor
C:\RECYCLER\ molox.exeand adds Hidden and System attributes to the file. In order to ensure that it is launched automatically each time the system is rebooted, it adds a link to its executable file in the system registry autorun key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "WindowsSystem32"="%Program Files%\Common Files\ System\molox.exe"or
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "WindowsSystem32"=" C:\RECYCLER\ molox.exe"
Next, the malware places a link to its executable file in the list of allowed applications in Windows Firewall:
[HKLM\System\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%Program Files%\Common Files\System\molox.exe"="%Program Files%\ Common Files\System\molox.exe:*:Enabled:WindowsSystem32"Then, the malicious bot establishes a connection to the IRC server in order to obtain a command from the malicious user:
dend***p.huWhen it connects to the server, the malware applies the following parameters
USER <rnd> "fo<rnd2>.net" "lol" :<rnd>where rnd is a sequence of letters; rnd2 is a decimal number.
Next, the bot connects to the IRC channel:
#dbFollowing a successful connection to the server, the bot awaits the following commands from the malicious user:
The malware also attempts to obtain access to ftp servers and remote desktops, by scanning the network on receipt of the following command:
!scan (X) (random / logical) (ip/b/y) (vnc_mode) (transfer_mode) [Äèàïàçîí_ñêàíèðîâàíèÿ]The following parameters may be applied to this command:
The bot may also download files and launch them for execution, by receiving the command:
!h <configuration_data> (URL) [êàòàëîã_äëÿ_çàãðóçêè] (mode)Configuration_data is a download string presented in the form of an MD5 hash.
URL is the link for downloading the file.
Directory_for_download is the directory in which the downloaded file will be saved.
0 means download only
1 means download and execute
2 means download, execute, and delete itself
Configuration_data is a deletion string presented in the form of an MD5 hash.
When obtaining full access to a cftp server, the bot implements the following settings:
Host – oli***yip.hu User – u2m6g Password – k3***mt File – lol.jpgTo obtain access to a VNC server, the bot carries out a search in an attempt to find the correct password. The following strings are used first as a dictionary:
123 1234 12345 123456 1234567 12345678 abc abcd 1 admin pass password love
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "WindowsSystem32"="%Program Files%\Common Files\System\molox.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "WindowsSystem32"=" C:\RECYCLER\ molox.exe" [HKLM\System\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ List] "%Program Files%\Common Files\System\molox.exe"="%Program Files%\ Common Files\System\molox.exe:*:Enabled:WindowsSystem32"
%Program Files%\Common Files\System\molox.exeor
Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.
These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.
The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.
There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.