Virus Database

Backdoor.Padodor.w

Description Backdoor.Padodor.w

also known as TrojanSpy.Win32.Qukart
Padodor/Qukart was created by a Russian hacker group called HangUp Team. The original Padodor backdoor source code was used to create this variant, but the backdoor functionality was removed. Padodor/Qukart steals personal information including credit card numbers, logins and passwords that a user types and other sensitive data. The Padodor.W variant was found early on June 25th, 2004 as a result of the Scob incident investigation.
http://www.f-secure.com/v-descs/scob.shtml
Detailed Description
The trojan's file is a PE executable 51712 bytes long. The trojan's file is encrypted and the decryption routine is polymorphic. Every time the trojan installs itself, it changes its decryptor, so its file will look different after every installation. The trojan was created using Padodor backdoor code. There's some discussion now as to whether HangUp Team was involved. Unless they provided their Padodor source code to someone else (which is doubtful), they are responsible for the latest Padodor/Qukart incidents. Up to .G variant of Padodor their copyright was in the backdoor files
In the later variants of the backdoor the copyright string was removed, but the project name "padonok" (an incorrectly spelled Russian word "podonok" that means "scum") remained.
Installation to System
When the trojan's file is run, it installs itself to the system. It copies its file to Windows System directory with a random name that can contain '32' in the end. The name can be for example 'amackg32.exe'. Also the trojan extracts and writes a small DLL file to Windows System folder. That file also has a randomly generated name that can contain '32' in the end, for example 'bnldnl32.dll'. That DLL file is a starter for the dropped trojan's executable file. It already contains the name of the dropped trojan file - it is inserted there before extraction.
Then the trojan creates a few Registry keys:
[HKCRCLSID{79FEACFF-FFCE-815E-A900-316290B5B738}InProcServer32]
@ = "%WinSysDir%.dll"
"ThreadingModel" = "Apartment"
where %WinSysDir% represents the name of Windows System folder and represents a randomly generated file name. As a result, the DLL gets loaded every time Windows starts and it activates the trojan's file.
Also the trojan creates the following Registry key value:
[HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
"Web Event Logger" = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
The trojan creates a mutex named 'KingKarton_10' and checks it at startup to avoid loading several copies of itself to memory.
The trojan creates the 'surf.dat' file in Windows System folder and writes the computer name and user name there every time it activates.
Theft of passwords and credit card numbers
When the trojan is active, one of its threads is constantly looking for the following text strings in Microsoft Internet Explorer windows:
.paypal.com
signin.ebay.
.earthlink.
.juno.com
my.juno.com/s/
webmail.juno.com
.yahoo.com
and
Sign In
Log In
If such text strings are found, the trojan tracks the user's login and password and saves it to a file called DNKK.DLL located in Windows System folder. Then the trojan can show a fake webform and ask a user to select his/her credit card type, input his/her full name, credit card number, expiration date, CVV2 code and ATM PIN. The collected data is stored in a file called KK32.DLL file located in Windows System folder.
The trojan creates a thread that periodically creates or changes the following Registry keys:
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionInternet Settingsones]
"1601" =
[HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"GlobalUserOffline" =
[HKU.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowseNewProcess]
"BrowseNewProcess" = "yes"
Then this thread creates an HTML file where it copies stolen data, opens it with Internet Explorer and the data gets submitted to one of the following websites (selected randomly) using a small script:
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
After submitting the information, the trojan checks for feedback from the site and if it is a string equal to 'X-okRecv11', the trojan deletes the HTML file and terminates Internet Explorer.
The trojan creates another thread that periodically accesses the following webpages:
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://ldark.nm.ru/index.htm
http://fethard.biz/index.htm
Before accessing the above mentioned websites the trojan creates an HTML file with a special script. If the index.htm page on these sites contain 'X-okRecv11' string the trojan terminates Internet Explorer and deletes the created HTML file. Otherwise the trojan browses Internet cache files and appends the last used HTML file to the KK32.VXD file located in Windows System folder.
It should be noted that during the operation described above the trojan creates a new desktop called 'blind_user' on an infected computer that a user can not see and then opens Internet Explorer there.
© F-Secure Corporation

Check other viruses! Be aware! Use Antiviral Software

Huge.32767

Description Huge.32767

It is not a dangerous nonmemory resident encrypted parasitic virus. It searches for .COM files, then writes its actual code (about 850 bytes) to the beginning of the file and random data (32K) to the end of the file.
Depending on the system data the virus displays one of the messages:
What's the matter ? Running out of disk space lately ?
WARNING: This computer will self-destruct in 5 seconds

The virus also contains the text strings:
(c)Lx1991
Congratulations for disassembling Huge (c) 1991, by Lx.

Hungry.633

Description Hungry.633

It is a dangerous nonmemory resident parasitic virus. Being executed it displays the message:
Virus Ver 1.01ß Copyright (c) 1994 by Hungry Software

then it searches for .COM files and writes itself to the end of the file. On computers with AMI BIOS the virus depending on the system timer overwrites CMOS with some data.

Home