A backdoor written in Assembly and incorporating several components.
It has only one exportable function (install) containing the path to sr.dat as the third parameter. Once install is called, the shellcode is decoded and granted all control functions.
Then the Trojan performs a search for the necessary API in the following libraries: kernel32.dll, advapi32.dll, ntdll.dll, psapi.dll, shell32.dll, Shlwapi.dll, userenv.dll, user32.dll, ws32_2.dll.
Next, it reads the encrypted configuration file stored in %PROGRAM%\Internet Explorer\Connection Wizard\Pa.ds.
By checking the settings of iexplorer.exe, the malware detects a proxy server. Then it gathers the computer-related information (OS version, computer name, local IP). The backdoor searches for the explore.exe process, gets its token, impersonates itself as ImpersonateLoggedOnUser, and calls the following functions: GetUserNameA and LoadUserProfileA.
The Trojan lists all running services and sets for them the following flags:
SERVICE_INTERACTIVE_PROCESS+SERVICE_WIN32_OWN_PROCESSThe Trojan lists all running services and sets for them the following flags:
%s\Internet Explorer\kl.dat
%s\Internet Explorer\um.dat
Decodes the files and executes their shellcodes.
The backdoor incorporates a module resembling a telnet server and receives commands from the command and control server.