Threat Monitor

 

« Back to list

Backdoor.Win32.Clampi.a

 
Aliases:
Pattern:200909231330
Threat Type Propagation Methods Systems Affected Risk Level
  • Backdoor
  • Windows NT
  • Windows XP
  • Windows 2000
  • Windows 95/98/ME
  • MS-DOS
  • Other
  • Low
 

Technical details

This Trojan spy program is designed to steal confidential user data and remotely manage the victim machine. It is a Windows PE EXE file. It is 470 bytes in size.

Installation

When launched, the Trojan creates the following file: 

%AppData%\<name>.exe

<name&gr; is chosen at random from the list below:

dumpreport
msiexeca
svchosts
upnpsvc
service
taskmon
rundll
helper
event
logon
sound
lsas

In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan adds a link to its executable file in the system registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“<name2>” = %AppData%\<name>.exe|

<name2&gr; is chosen at random from the list below:

CrashDump 
svchosts 
EventLog 
TaskMon 
Windows 
RunDll 
System 
Setup 
Sound 
lsass 
UPNP 
Init

Payload

The Trojan connects to servers to download and run malicious code. The server addresses are saved to the system registry key shown below:

HKCU\Software\Microsoft\Internet Explorer\Settings\"GatesList"

The Trojan saves its settings to the registry keys shown below:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"GID"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"KeyM"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"KeyE" 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"PID

The malicious code downloaded from the servers is designed to harvest information from the victim machine (user name, login data, program passwords, local and network passwords).

The Trojan can also be configured to steal login and password data for Internet banking systems by substituting spoofed pages for genuine banking system pages. The program targets popular financial organizations such as the ones listed below:

https://www.hsbc.co.uk
https://www.mybusinessbank.co.uk
https://investing.schwab.com

The Trojan will regularly download updates to its code and additional modules. The programs downloaded include:

  • Trojan programs designed to steal bank account data
  • Trojans designed to steal passwords to common applications such as:

Browsers

IE Password Protected Sites IE AutoComplete Fields Firefox Opera

Messengers

MSN Messenger
ICQ
IRQ
Trillian
Miranda IM
Camfrog Video Chat
Easy Web Cam
Google Talk

FTP Programs

Total Commander
WS FTP
SecureFX FTP
WebDrive Ftp
FtpVoyager
AutoFTP
FTP Control
32bit Ftp
FTP Navigator
Far FTP
FlashFXP FTP
CuteFTP
CoffeeCup FTP
FileZilla FTP
FTP Now
CoreFTP
SmartFTP

Other Programs

Outlook Express
Dial Up
VNC
Remote Desktop
WinProxy
Google Desktop

Network propagation

In order to spread via the local network, the Trojan ties to copy itself to network machines by using ipc$ and admin$ and also shared folders. In order to launch itself on networked machines, the Trojan uses a legitimate utility, Sysinternal's psexec.exe.

Note

In order to prevent the malicious program spreading via networks, servers used by domain administrators should be disinfected. Additionally strong passwords should be used on local machines.

The Trojan downloads a variety of code from servers. This code can be modified or replaced with other malicious code. At the time of writing, the Trojan was configured to connect to the addresses listed below:

panel.***boora.cn
147.202.39.***
174.36.82.***        
195.12.38.***
195.189.247.***
195.225.236.***
205.234.231.***
209.51.159.***
209.85.120.***
61.153.3.***
64.18.143.***
66.128.55.***
66.199.237.***
66.199.237.***
66.225.237.***
66.7.197.***
75.102.23.***

The Trojan only runs on English versions of Windows.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the malicious process.
  2. Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the file created by the backdoor: 
    %AppData%\<name>.exe
  4. Delete the following system registry key:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<name2>" = %AppData%\<name>.exe

    Update your antivirus databases and perform a full scan of the computer .

Back to Top

Partner Login

The PowerShift Program puts a world of resources at your fingertips.

Login Page:
http://www.netgear.com/Partners/
Powershift.aspx

Apply to be a Partner:
http://info.netgear.com/forms/powershift

Forget Password:
http://www.netgear.com/Extranet/
ForgotPassword.aspx

Highlights

  • Case Study
    Unity Electronics
    NETGEAR® STM Stream Scanning Technology Provides Unity Electronics with Peace of Mind
    Industry: E-Tailer
  • White Paper (PDF)
    NETGEAR® Stream Scanning Technology
  • White Paper (PDF)
    NETGEAR® In-The-Cloud Distributed Spam Analysis Technology: Network Based Protection Against Email-Borne Threats
  • UTM Flash Demo
    Learn more about the ProSecure™ UTM Solution
  • STM Flash Demo
    Learn more about the ProSecure™ STM Solution