Backdoor.Netdex
Netdex is multi-component backdoor trojan program. It allows a remote hacker to take control of infected computers. To accomplish this, the backdoor code downloads special script files from the Web site http://www.two.com.ru, processes them and then sends the result back to that Web site.
The main backdoor component is a Java Script program with the name,
"zshell.js"
Other backdoor components are:
a.com
- DOS COM program (helper)
netd.exe
- Win32 EXE program (transfer service)
o.js,
installer.php - Java Script (installer)
repost.html,
sh.php - HTML page with Java Script program (additional component)
Infecting
Computers become infected when visiting the backdoor's host site at http://www.two.com.ru. This site's index page contains a script program. If script programs are permitted to run on the target computer, the script is then executed.
Exploiting a security breach the script creates and runs backdoor components on victim computers. Upon execution the components install themselves into the system, and run a backdoor routine. The main backdoor component is registered in two system registry auto-run keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Time
Zone Synchronization = wscript "%Cookies folder%\zshell.js"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Time
Zone Synchronization = wscript "%Cookies folder%\zshell.js"
The backdoor uses the 'Microsoft VM ActiveX Component' vulnerability. Please go to http://www.microsoft.com/technet/security/bulletin/MS00-075 for more details.
To hide the backdoor's activity the Web page has the page Title and text in Russian:
Title:
Why did you get here?
Text:
Enter password to begin
In case a password is entered, additional text in Russian is displayed.
Netdex Password Screen:
Main Backdoor Component
The backdoor itself is a script program written in the Java Script language. Once each minute the backdoor receives from the host site a set of commands and executes them. This backdoor performs the following commands:
* runs a command or specified
local file
* displays specified message
on computer's desktop
* updates itself
* sends email on behalf of
victim computer
* terminates itself
See a full list of commands below.
Technical Details - Infecting
Step 1 - opening the infected Web page
While infecting the Java Script on the hacker's web site's main
HTML page, the following files are 'dropped' onto victim computers:
dropped file: DOS COM file named
a.com. This files is saved to the Windows temp directory.
file dropped and executed:
the Java script named zshell.js. This file is saved to the Windows 'Cookies'
directory
Thus there are two new files on victim computers:
"%TMP%\a.com"
"%Cookies folder%\zshell.js"
Step 2 - Creating the Backdoor Component
The 'zshell.js' script that is run during Step 1 performs two main actions:
Action 1: - it creates the "transfer service" file - netd.exe - a Win32 EXE file.
To do this the script runs the 'a.com' file in the temporary folder. The 'a.com' file extracts from its code, decrypts and drops the 'netd.exe' file into the temporary directory. This file is then copied to the Windows 'Cookies' folder.
The 'netd.exe' program will then be used as a helper to send/receive data to/from the main backdoor's Web page. This helper program supports SMTP and HTTP protocols to transfer data to/from infected computers.
Action 2: It downloads the file 'install.php' from the Web page, stores it with under the name 'o.js' and runs it.
To do this the script uses the "GET HTTP" command and 'netd.exe' transfer service.
Step 3 - Installing the Backdoor
The 'o.js' script that is run in Step 2 performs the following actions:
Action 1: it downloads the 'sh.php' file from Web page, stores it under the 'zshell.js' name, and executes it. The file 'zshell.js' is the main backdoor component.
Action 2: it creates registry auto-run keys that will start the main backdoor component (zshell.js) upon Windows restart.
Action 3: it creates the backdoor auto re-run script file.
To do this the 'o.js' script creates a new 'repost.html' file in the Windows Cookies folder:
"%Cookies folder%\repost.html"
and writes a script program to this location that runs the zshell.js file (main backdoor component).
The repost.html file is then registered in the registry key:
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\PostNotCached
This script, in some cases, is then automatically run by Internet Explorer, and the main backdoor script gains control.
This completes the installation.
Backdoor Commands:
EXIT - terminates the backdoor
program
NOBREAK - does nothing
SETCMDURL - stores new host
(Web page) to communicate with
RUN - run command (from argument)
SENDMAIL - sends email message
- SMTP is read from the
"HKCU\Software\Microsoft\Internet
Account Manager\Accounts\00000001\SMTP Server", or
"mail.ru" is used in case of
an error
UPDATE - downloads file and
stores it to the "%Cookies folder%\zshell.js"
ALERT - displays a message
SLEEP - waits %n% minutes (%n%
is in argument)
SENDCONFIRM - reports 'I am
here'
RUNTHESELF - restarts itself
from the "%Cookies folder%\zshell.js"
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5) THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
161002/100904/051004
