September 8, 2013

Russian anti-virus company Doctor Web is warning users about the malignant program BackDoor.Saker.1, which is capable of bypassing the User Account Control (UAC). The program's main function is to execute directives from criminals and, most importantly, to intercept user keystrokes (keylogging).

In a compromised system, the Trojan launches the file temp.exe to bypass the UAC. The file extracts a library to bypass the UAC and injects its code into the process explorer.exe, after which the library is saved into a system folder. Then, upon launching the utility sysrep, the library code launches the malignant application ps.exe which is detected by the Dr.Web anti-virus as Trojan.MulDrop4.61259. In turn, this file saves another library to a different folder. The library file is registered in the Windows Registry as a service with the name "Net Security Service" and the following description: “keep watch on system security and configuration.if this services is stopped, protoected content might not be down loaded to the device”. This library contains the main backdoor payload.

When launched, BackDoor.Saker.1 collects information about the compromised system, including the Windows version, CPU frequency, available RAM, computer name, user login and the hard disk serial number, and transmits it to criminals. Next, the Trojan creates a file in a system folder into which user keystrokes are logged. After this, the backdoor awaits a remote server’s response, which may involve commanding the backdoor to reboot, shut down, remove itself, start a separate thread to execute commands via a shell, or even run its own file manager which can upload files from an infected machine, download files via the network, create folders, and delete, move and run files.

The threat's signature has been added to Dr.Web virus databases, so BackDorr.Saker.1 poses no threat to computers protected by Doctor Web anti-viruses.