Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Backdoor:W32/Maha.E


Discovered:
Aliases:


May 30, 2007
Backdoor:W32/Maha.E

Malware
Malware
BackdoorVirus
W32
W97M

Summary

Backdoor:W32/Maha.E allows the attacker to acquire system information and allows for the uploading, downloading, and running of files on the infected computer.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

Backdoor:W32/Maha.E can record keyboard activities, keep a list of applications that a user has run, as well as archive URLs that a user opened. It steals logon IDs, passwords, PINs, check words, and other info related to online banking. Backdoor:W32/Maha.E arrives on the system as an embedded executable file inside an attached RTF file from spammed e-mail messages. The spammed e-mails appear to come from the U.S. Internal Revenue Service (IRS). The attachment contains a file named "COMPLAINT.rtf".When this RTF file is opened, it will display a fraudulent message that the original document was not loaded and will prompt the user to double click on the embedded object to reload msword.exe. Below is the sample message:

The embedded object is actually an executable file and when the user double-clicks, it will automatically execute the backdoor file. The RTF file is now detected as Trojan:W97M/Streedom.E.Once Backdoor:W32/Maha.E is executed, it will create the following files:

  • %WinDir%\svchost32.dll - Dll component also detected as Backdoor:W32/Maha.E
  • %WinDir%\svchost32.exe - Main Executable file

It also creates the following temporary files that will deleted by the malware after use:

  • C:\alit.html
  • C:\me.mp3

This backdoor installs itself as a service using the name "svchost32" by creating the following registry entry:

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost32]

It also modifies the following registry entries in order to disable the firewall and its notifications:

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess \Parameters\FirewallPolicy\StandardProfile] DisableNotifications = dword:00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess \Parameters\FirewallPolicy\StandardProfile] EnableFirewall = dword:00000000

Backdoor:W32/Maha.E connects to the following site and awaits for commands from a remote user:

  • IP address: 203.121.79.49
  • TCP Port: 54321

Upon successful connection, the following commands maybe executed:

  • Retrieve stolen information
  • Upload/download files
  • Execute/Delete files
  • Get System information

This backdoor also has key logging functions. It saves stolen information in the following file:

  • %SysDir%\drivers\ssl\01\[DD_MM_YYYY].html

It uses the following format:

  • [ [Process] - [Filename] - ? - ]{[Date]-[Time]} [key pressed]

In order to maximize the amount of typed information from the victim's machine, this backdoor disables password save features. It sets the following registry entries so that the user will be forced to type user information and passwords: Disable Save Password and Autologon for Yahoo:

  • [HKEY_CURRENT_USER\Software\Yahoo\Pager] Save Password = dword:00000000
  • [HKEY_CURRENT_USER\Software\Yahoo\Pager] Auto Login = dword:00000000

Disable Auto Complete in Internet Explorer:

  • [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] Use FormSuggest = "no"

Disable Storage of Credentials and .NET passwords:

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] disabledomaincreds = dword:00000001

This malware may also steal online information upon visiting sites mostly related to Banking and Online Payments:

  • Anonygold.com
  • ANZ Internet Banking
  • AOL.com
  • Bank of America
  • BankCard
  • BankWest Online banking
  • Barclays IBank
  • bendigobank.com.au - bendigo e-banking
  • Capital One Online
  • Chase.com
  • Chevy Chase Bank
  • Citibank
  • e-gold
  • Gawab.com
  • Gmail
  • HSBC Bank
  • HYIP Lister
  • iKobo Money Transfer
  • ING Direct
  • Key Bank
  • Login to Paltalk
  • moneybookers.com
  • MoneyMakerGroup
  • NatWest
  • NetBank
  • Online Service
  • PayPal
  • Pecunix
  • PNC Bank
  • Reality Cycler
  • Rietumu banka
  • Safe-mail.net
  • SFIpay
  • St.George Internet Banking
  • V-Money
  • Wachovia
  • Walla!
  • Wells Fargo
  • WorldPay

It then sends log files containing stolen information to the following sites:

  • http://in-2-web2.com/img/[REMOVED].php
  • http://www.huquqalinsan.com/locales/[REMOVED].php
  • http://www2.scasd.org/developers/kla13/6threview/[REMOVED].php


Detection



Detection Type: PC
Database: 2007-05-30_05





Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free