April 8, 2015

Doctor Web security researchers have examined a new malicious program that can execute cybercriminals’ commands and send the remote server screenshots made on the infected computer. This backdoor is able to check the infected computer for virtual environment and anti-virus programs.

The Trojan that acquired the name VBS.BackDoor.DuCk.1 is written in the Visual Basic Script programming language and is distributed as an LNK icon file with an embedded VBS script, which is archived. Once the icon is clicked, the VBS script is extracted, saved as a separate file and then launched.

VBS.BackDoor.DuCk.1 utilizes a rather remarkable method to identify the address of the command and control server. At the beginning of the script there are three links: two of them redirect the user to YouTube and the third one leads to the Dropbox file-sharing services.

The Trojan sends to the above mentioned resources a GET request, and within the received reply it executes a search based on the following regular expression: our (.*)th psy anniversary. The number acquired after the executed search is divided by 31,337—this mathematical operation results in another number that, after being converted to a hexadecimal notation, represents the IP address of the command and control server. To verify whether the server works or not, the Trojan sends a GET request to the specified address and checks the reply for the string "ОКОКОК".

VBS.BackDoor.DuCk.1 incorporates a special verification mechanism to check the infected computer for virtual environment and for running processes of various applications designed to monitor operating systems. Among other things, the backdoor can check the infected computer for anti-virus programs (if the Trojan detects any, it does not execute one of its scripts).

In the directory of the current Windows user, VBS.BackDoor.DuCk.1 creates a subfolder and uses it as a work folder. To conceal its presence, the Trojan saves the file vtoroy_doc.doc in the temporary folder and shows it to the user:

It can be assumed that initially the cybercriminals had planned to use a PowerPoint presentation as a "decoy" because at the end of the Trojan’s code the PowerPoint termination algorithm is incorporated (if the corresponding box is checked). However, due to some reason, they decided to go with another plan.

To make screenshots, the backdoor utilizes its own library. The screenshots are saved in the temporary folder as files with .tmp extension. Using a special REG file, the Trojan disables Microsoft Internet Explorer add-ins. If the malicious program is running on a computer with the Windows Vista operating system, then with the help of another REG file VBS.BackDoor.DuCk.1 disables protected mode in the Microsoft Internet Explorer browser. Moreover, by creating in the auto run folder the startup icon, the VBS.BackDoor.DuCk.1 Trojan enables its own automatic startup:

To receive commands from the server, the Trojan sends it a relevant request. Other commands of VBS.BackDoor.DuCk.1 include downloading other malicious to the infected computer application and uploading screenshots to the remote server. All other commands the VBS.BackDoor.DuCk.1 Trojan sends to the CMD (command interpreter) or to PowerShell. Moreover, on the infected computer this backdoor can execute a Python script. After being encrypted, the working results of this script are transferred to the cybercriminals’ server.

The signature of VBS.BackDoor.DuCk.1 has been added to the Dr.Web virus database, and, therefore, this malicious program no longer poses a threat to computers protected with Dr.Web.

More about this Trojan