Summary

Disinfection

Additional Details

The main executable has been packed with unmodified UPX and its packed length is 58368 bytes, once unpacked it grows to 118272.

System installation

The first component to be executed in an system will be the Emaner dropper, which making use of almost identical functionality as found later in the main backdoor code, will drop a second component into the user's system, and proceed then to run it. This will be achieved calling the LoadLibrary function from the Windows' Kernel32.DLL.

The dropped component will be stored in a stream in the default Windows temporary folder if the file system of the computer is NTFS (this is the default one in Windows NT,2000 and XP), and in the same folder but as a normal file, if the filesystem does not allow streams, i.e. VFAT.

The file/stream name is randomly generated, and it will always consist of lowercase characters from the range [a-z]. The filename is built from dividing a randomly chosen number and using the remainder of subsequent divisions to obtain the characters used in the filename. The random number is divided over 26 and to the remainder the ordinal of the 'a' character is added, therefore obtaining the range of characters previously given.

Once the file is copied, the dropper will exit if it has been able to execute the dropped backdoor.

The backdoor component.

This component is a DLL, and it has to be run as such. The DLL size is 113152 bytes. The backdoor has an extensive number of features which allow the attacker to gain a high degree of control over the infected machine.

When the backdoor is run, it will add an entry in the Windows Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] <random name> = rundll32 <path to DLL>,<options>

All the values <random name>, <path to DLL> and <options> depend on several factors. Although <random name> will match the basename without extension of the file pointed by <path to DLL>, which will consist of lowercase characters on the range [a-f].

The DLL has the following entry points: DebugBreakpoint DebugInit Init InitService SpawnedInit Uninstall

Which lead to different behaviors. Running the following command:

rundll32 <path to the DLL>,<any of the above entry points and its options>

will load the DLL and execute the according code.

The backdoor contains the following text:

(The text has been reformatted for better appearance on our Web)

************************************************************If you read this, then this program was probably stolen from our laboratory. Author of this software is not responsible for any harm that may be caused by incompetent or malicious persons who use this software possibly running on your machine. Therefore, please remove this software as soon as possible. Click the "Start" menu, select "Run", enter there: rundll32 <path to this DLL>,Uninstall and click "OK" ************************************************************

Which provides with real information regarding the removal of the backdoor.

More information on removal can be found from the Disinfection section.

Detection

[FSAV_Database_Version]
Version=2003-10-01_01

Technical Details:Ero Carrera, 2nd of October, 2003;