Drive-by download leads to Backdoor Trojan (May 11, 2011)

SonicWALL UTM Research team discovered instances of malicious java applets being used to perform drive-by download of malware. The malware is downloaded and excuted without any user interaction once the applet executes. The downloaded malware was found reporting system information back to a remote server and it also creates a backdoor on the victim's machine. When a user visits a malicious domain hosting the applet it runs as seen below:

The applet is unsigned and prompts for the user's permission to run. If the user proceeds and runs the applet it downloads a file silently and executes it. The downloaded executable performs the following activities:

• It creates the following copies of the same file:
• %appdata%DocumentWriter.exe
• %temp%privzate.exe
• %temp%6858.jpg
• %temp%51156.jpg
• It creates the following registry entry to ensure that it runs on every system reboot:
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:"%appdata%DocumentWriter.exe"
• It determines the public IP address by performing the following HTTP request to api.ipinfodb.com
• GET /v2/ip_query_country.php?key=1d1bb511aed00402daada8d8706f74b477e3172d0ca020deab3b43c16441a73d&timezone=off
• It creates a backdoor listening on TCP port 1232
• It sends information back to a remote server such as version, infection date, IP address, OS information and screenshots

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

GAV: ClsDLod.A ( Trojan )
GAV: ClsDLod.A_2 ( Trojan )
GAV: VB.SGQ (Trojan)