The Padodor.W variant was found early on June 25th, 2004 as a
result of Scob incident investigation:
http://www.f-secure.com/v-descs/scob.shtml
Padodor/Qukart was created by a Russian hacker group called
HangUp Team. The original Padodor backdoor source code was used
to create this variant, but the backdoor functionality was
removed. Padodor/Qukart steals personal information including
credit card numbers, logins and password that a user types and
other sensitive data.
This backdoor contains the code to hide its presence in a system
(rootkit functionality), but this variant does not use it to hide
its files, it only hides its process. However, later versions of
this backdoor, for example Padodor.AQ do hide their files from
file managers. It should be noted that the files are still
visible if viewed from Command shell (CMD.EXE).
The trojan's file is a PE executable 51712 bytes long. The
trojan's file is encrypted and the decryption routine is
polymorphic. Every time the trojan installs itself, it changes
its decryptor, so its file will look different after every
installation.
The trojan was created using Padodor backdoor code. There's some
discussion now on whether HangUp team was involved. Unless they
provided their Padodor source code to someone else (which is
doubtful), they are responsible for the latest Padodor/Qukart
incidents. Up to .G variant of Padodor their copyright was in the
backdoor files:
In the later variants of the backdoor the copyright string was
removed, but the project name "padonok" (an incorrectly spelled
Russian word "podonok" that means "scum") remained:
We do not directly accuse HangUp hacker's group of writing
Padodor, we only provide facts for investigation. It's the
court's job to prove that someone is guilty or not after
analysing all evidence.
Installation to System
When the trojan's file is run, it installs itself to system. It
copies its file to Windows System directory with a random name
that can contain '32' in the end. The name can be for example
'amackg32.exe'. Also the trojan extracts and writes a small DLL
file to Windows System folder. That file also has a randomly
generated name that can contain '32' in the end, for example
'bnldnl32.dll'. That DLL file is a starter for the dropped
trojan's executable file. It already contains the name of the
dropped trojan file - it is inserted there before extaction.
Then the trojan creates a few Registry keys:
[HKCR\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32]
@ = "%WinSysDir%\<random>.dll"
"ThreadingModel" = "Apartment"
where %WinSysDir% represents the name of Windows System folder
and <random> represends randomly generated file name. As a
result, the DLL gets loaded every time Windows starts and it
activates the trojan's file.
Also the trojan creates the following Registry key value:
[HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Web Event Logger" = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
The trojan creates a mutex named 'KingKarton_10' and checks it
at startup to avoid loading several copies of itself to memory.
The trojan creates the 'surf.dat' file in Windows System folder
and writes computer name and user name there every time it
activates.
Stealing passwords and credit card numbers
When the trojan is active, one of its threads is constantly
looking for the following text strings in Microsoft Internet
Explorer windows:
.paypal.com
signin.ebay.
.earthlink.
.juno.com
my.juno.com/s/
webmail.juno.com
.yahoo.com
and
Sign In
Log In
If such text strings are found, the trojan tracks user's login
and password and saves it to a file called DNKK.DLL located in
Windows System folder. Then the trojan can show a fake webform
and ask a user to select his/her credit card type, input his/her
full name, credit card number, expiration date, CVV2 code and ATM
PIN. The collected data is stored in a file called KK32.DLL file
located in Windows System folder. Here's a screenshot of the
fake form displayed by the trojan:
The trojan creates a thread that periodically creates or changes
the following Registry keys:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\<zone>]
"1601" = <value>
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = <value>
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess]
"BrowseNewProcess" = "yes"
Then this thread creates an HTML file where it copies stolen
data, opens it with Internet Explorer and the data gets submitted
to one following websites (selected randomly) using a small
script:
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
After submitting the trojan checks for the feedback from the site
and if it is a string equal to 'X-okRecv11', the trojan deletes
the HTML file and terminates Internet Explorer process.
The trojan creates another thread that periodically accesses the
following webpages:
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://ldark.nm.ru/index.htm
http://fethard.biz/index.htm
Before accessing the above mentioned websites the trojan creates
an HTML file with a special script. If the index.htm page on
these sites contain 'X-okRecv11' string the trojan terminates
Internet Explorer and deletes the created HTML file. Otherwise
the trojan browses Internet cache files and appends the last used
HTML file to the KK32.VXD file located in Windows System folder.
It should be noted that during the operation described above the
trojan creates a new desktop called 'blind_user' on an infected
computer that a user can not see and then opens Internet Explorer
there.
Detection for Padodor.w was published on June 25th, 2004 in the
following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-06-25_01
Technical Details:
Alexey Podrezov, June 25th, 2004;
Description Updated:
Alexey Podrezov, March 3rd, 2004;
F-Secure Corporation
