February 14, 2012

Doctor Web—the Russian anti-virus developer company—warns users of a Trojan horse family added to the Dr.Web virus database as BackDoor.Volk. These Trojan horses modify the hosts file and execute commands received from a remote server. Interestingly, the Trojan horses supposedly originate in South America.

Doctor Web's virus laboratory has received an entire brood of these Trojan horses. BackDoor.Volk.1 was the first one. Curiously, this Trojan horse is written in PHP which is used primarily to create scripts and server applications and then converted into executable code with the php2exe utility. This malicious program modifies the hosts file that lists available DNS names and their respective IP addresses in the compromised system.

BackDoor.Volk can join into botnets controlled with a specially designed administration panel. Doctor Web's analysts got hold of a database dump from a server controlling a botnet comprised of BackDoor.Volk bots. The database contains entries for around 100 bots and infected machines are found in many countries. Most of them are located in Chile (31%) and Uruguay (13%), followed by Peru (8%), Argentina (4%) and Spain (3%). The least affected countries are the U.S. and India (2%), as well as Canada, Colombia, and Brazil (1%). The remaining 34% of infected machines are located in the country dubbed Unknown — some of them may be in Russia.

Unlike its predecessor, BackDoor.Volk.2 is written in Visual Basic and uses the POST routine instead of GET when accessing remote hosts to send requests. Apart from downloading and running applications and hosts file modification, this malware can carry out DDoS-attacks and is capable of stealing passwords stored by FTP-clients installed on the infected computer. It should be noted that the module used by BackDoor.Volk.2 to communicate with a remote server has earlier been implemented in another malicious program — BackDoor.Herpes whose source code appeared in the public domain a while ago.

BackDoor.Volk.3 and BackDoor.Volk.4 also written in Visual Basic, are BackDoor.Volk.2 modifications featuring different routines to communicate with a remote server. Other features are similar. The host file modification function of the Trojan horse is the most dangerous one since it can be used by criminals to redirect a potential victim to a phishing site while stolen FTP server access passwords may be used to get unauthorized access to various websites. Signatures of all known BackDoor.Volk modifications are added into the Dr.Web virus database.