This backdoor and its dropper incorporate the novel feature of using a particular mode
of storing data, provided by the NTFS file system.
The backdoor itself allows remote usage of the infected machine.
Disinfection
The backdoor provides its own removal mechanism which, however, seems to leave
some files on the system. But it will remove the Registry Key, so it won't run
next time Windows restarts.
If a Windows 2000, NT or XP system is already infected, removing the DLL is not
trivial, given that it's located on a stream (if the system is using NTFS as
its underlying filesystem). F-Secure Anti-Virus will detect the backdoor when
the file/stream is accessed, but might not be able to delete it if it's in use.
A workaround is to temporary set the option of automatic removal, instead of
prompting the user for confirmation, and then rebooting the system. In this
way, after restarting the stream containing the backdoor should be detected
when an attempt to access it is made and therefore removed.
The main executable has been packed with unmodified UPX and its packed length
is 58368 bytes, once unpacked it grows to 118272.
System installation
The first component to be executed in an system will be the Emaner dropper,
which making use of almost identical functionality as found later in the main
backdoor code, will drop a second component into the user's system, and proceed
then to run it. This will be achieved calling the LoadLibrary function from the
Windows' Kernel32.DLL.
The dropped component will be stored in a stream in the default Windows
temporary folder if the file system of the computer is NTFS (this is the
default one in Windows NT,2000 and XP), and in the same folder but as a normal
file, if the filesystem does not allow streams, i.e. VFAT.
The file/stream name is randomly generated, and it will always consist of
lowercase characters from the range [a-z]. The filename is built from dividing
a randomly chosen number and using the remainder of subsequent divisions to
obtain the characters used in the filename. The random number is divided over
26 and to the remainder the ordinal of the 'a' character is added, therefore
obtaining the range of characters previously given.
Once the file is copied, the dropper will exit if it has been able to execute
the dropped backdoor.
The backdoor component.
This component is a DLL, and it has to be run as such. The DLL size is 113152 bytes.
The backdoor has an extensive number of features which allow the attacker to gain a high
degree of control over the infected machine.
When the backdoor is run, it will add an entry in the Windows Registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
<random name> = rundll32 <path to DLL>,<options>
All the values <random name>, <path to DLL> and <options> depend on several factors.
Although <random name> will match the basename without extension of the file
pointed by <path to DLL>, which will consist of lowercase characters on the
range [a-f].
Which lead to different behaviors. Running the following command:
rundll32 <path to the DLL>,<any of the above entry points and its options>
will load the DLL and execute the according code.
The backdoor contains the following text:
(The text has been reformatted for better appearance on our Web)
************************************************************If you read this,
then this program was probably stolen from our laboratory. Author of this
software is not responsible for any harm that may be caused by incompetent or
malicious persons who use this software possibly running on your machine.
Therefore, please remove this software as soon as possible. Click the "Start"
menu, select "Run", enter there: rundll32 <path to this DLL>,Uninstall and
click "OK" ************************************************************
Which provides with real information regarding the removal of the backdoor.
More information on removal can be found from the Disinfection section.
![](/images/pixel.gif"){kind=tracking}
