Win32/Rootkit.BlackEnergy [Threat Name] go to Threat

Win32/Rootkit.BlackEnergy.AA [Threat Variant Name]

Category trojan
Size 114416 B
Detection created Oct 25, 2010
Detection database version 5562
Aliases Rootkit.Win32.Blakken.bg (Kaspersky)
  Trojan:Win32/Malagent (Microsoft)
Short description

Win32/Rootkit.BlackEnergy.AA installs a backdoor that can be controlled remotely.

Installation

When executed, the trojan creates the following files:

  • %system%\­drivers\­%randomstring%.sys
  • %system%\­drivers\­str.sys
  • %system%\­MAI1.tmp

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%randomstring%]
    • "ImagePath" = "%system%\­drivers\­%randomstring%.sys"
    • "DisplayName" = %randomstring%
    • "Group" = "Boot Bus Extender"
    • "Type" = 1
    • "_MAIN" = "%system%\­MAI1.tmp"
    • "RulesData" = %variable1%
    • "krnl_sleepfreq" = %variable2%
    • "krnl_servers_list" = %variable3%

A string with variable content is used instead of %randomstring%, %variable1-3% .

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used.


It may perform the following actions:

  • perform DoS/DDoS attacks
  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • sending various information about the infected computer
  • update itself to a newer version

The following programs are terminated:

  • avgchsvx.exe
  • avgrsx.exe
  • AVGIDSAgent.exe
  • avgcsrvx.exe
  • avgfrw.exe
  • avgtray.exe
  • AVGIDSMonitor.exe
  • avgwdsvc.exe
  • avgfws9.exe
  • avgemc.exe
  • avgam.exe
  • avgnsx.exe
  • avgcsrvx.exe
  • avgui.exe
  • avgnt.exe
  • avfwsvc.exe
  • avguard.exe
  • avshadow.exe
  • avmailc.exe
  • avwebgrd.exe
  • cmdagent.exe
  • cfp.exe
  • dwengine.exe
  • spiderml.exe
  • spidergate.exe
  • spideragent.exe
  • ekrn.exe
  • egui.exe
  • avp.exe
  • McSvHost.exe
  • mfevtps.exe
  • mfefire.exe
  • mcshield.exe
  • mcagent.exe
  • msseces.exe
  • MsMpEng.exe
  • ccSvcHst.exe
  • RkUnhooker.exe
  • RootRepeal.exe
  • gmer.exe
  • kl1.sys
  • Normandy.sys
  • greypill.sys
  • gmer.sys
  • rootrepeal.sys

The trojan hooks the following Windows APIs:

  • NtQuerySystemInformation (ntdll.dll)
  • NtOpenProcess (ntdll.dll)
  • NtOpenThread (ntdll.dll)
  • NtSuspendThread (ntdll.dll)
  • NtTerminateThread (ntdll.dll)
  • NtSetContextThread (ntdll.dll)
  • NtOpenKey (ntdll.dll)
  • NtEnumerateKey (ntdll.dll)
  • NtEnumerateValueKey (ntdll.dll)
  • NtSetValueKey (ntdll.dll)
  • NtDeleteValueKey (ntdll.dll)
  • NtQueryInformationThread (ntdll.dll)
  • NtReadVirtualMemory (ntdll.dll)
  • NtWriteVirtualMemory (ntdll.dll)
  • NtProtectVirtualMemory (ntdll.dll)
  • NtQueryDirectoryFile (ntdll.dll)
  • NtShutdownSystem (ntdll.dll)

The trojan can create and run a new thread with its own program code within the following processes:

  • svchost.exe
  • explorer.exe

The trojan can be used for sending spam.

Please enable Javascript to ensure correct displaying of this content and refresh this page.