Aliases

Backdoor.Win32.Netdex.a (Kaspersky Lab) is also known as: Backdoor.Netdex.a (Kaspersky Lab), JS/Netdex@M (McAfee),   Troj/Netdex-A (Sophos),   JS/Netdex* (RAV),   BackDoor.Netdex (Grisoft),   HTML.Netdex.A (ClamAV),   Win32/Netdex.10 (Eset)

Description added	Oct 15 2002
Behavior	Backdoor

Technical details

Netdex is multi-component backdoor trojan program. It allows a remote hacker to take control of infected computers. To accomplish this, the backdoor code downloads special script files from the Web site http://www.two.com.ru, processes them and then sends the result back to that Web site.

The main backdoor component is a Java Script program with the name,

"zshell.js"

Other backdoor components are:

a.com - DOS COM program (helper)
netd.exe - Win32 EXE program (transfer service)
o.js, installer.php - Java Script (installer)
repost.html, sh.php - HTML page with Java Script program (additional component)

Infecting
Computers become infected when visiting the backdoor's host site at http://www.two.com.ru. This site's index page contains a script program. If script programs are permitted to run on the target computer, the script is then executed.

Exploiting a security breach the script creates and runs backdoor components on victim computers. Upon execution the components install themselves into the system, and run a backdoor routine. The main backdoor component is registered in two system registry auto-run keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Time Zone Synchronization = wscript "%Cookies folder%\zshell.js"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Time Zone Synchronization = wscript "%Cookies folder%\zshell.js"

The backdoor uses the 'Microsoft VM ActiveX Component' vulnerability. Please go to http://www.microsoft.com/technet/security/bulletin/MS00-075 for more details.

To hide the backdoor's activity the Web page has the page Title and text in Russian:

Title: Why did you get here?
Text: Enter password to begin

In case a password is entered, additional text in Russian is displayed.

Netdex Password Screen:

Main Backdoor Component
The backdoor itself is a script program written in the Java Script language. Once each minute the backdoor receives from the host site a set of commands and executes them. This backdoor performs the following commands:

• runs a command or specified local file
• displays specified message on computer's desktop
• updates itself
• sends email on behalf of victim computer
• terminates itself

See a full list of commands below.

Technical Details - Infecting

Step1 - opening the infected Web page
While infecting the Java Script on the hacker's web site's main HTML page, the following files are 'dropped' onto victim computers:

• dropped file: DOS COM file named a.com. This files is saved to the Windows temp directory.
• file dropped and executed: the Java script named zshell.js. This file is saved to the Windows 'Cookies' directory

Thus there are two new files on victim computers:

"%TMP%\a.com"
"%Cookies folder%\zshell.js"

Step2 - Creating the Backdoor Component
The 'zshell.js' script that is run during Step1 performs two main actions:

Action1: - it creates the "transfer service" file - netd.exe - a Win32 EXE file.

To do this the script runs the 'a.com' file in the temporary folder. The 'a.com' file extracts from its code, decrypts and drops the 'netd.exe' file into the temporary directory. This file is then copied to the Windows 'Cookies' folder.

The 'netd.exe' program will then be used as a helper to send/receive data to/from the main backdoor's Web page. This helper program supports SMTP and HTTP protocols to transfer data to/from infected computers.

Action2: It downloads the file 'install.php' from the Web page, stores it with under the name 'o.js' and runs it.

To do this the script uses the "GET HTTP" command and 'netd.exe' transfer service.

Step3 - Installing the Backdoor
The 'o.js' script that is run in Step2 performs the following actions:

Action1: it downloads the 'sh.php' file from Web page, stores it under the 'zshell.js' name, and executes it. The file 'zshell.js' is the main backdoor component.

Action2: it creates registry auto-run keys that will start the main backdoor component (zshell.js) upon Windows restart.

Action3: it creates the backdoor auto re-run script file.

To do this the 'o.js' script creates a new 'repost.html' file in the Windows Cookies folder:

"%Cookies folder%\repost.html"

and writes a script program to this location that runs the zshell.js file (main backdoor component).

The repost.html file is then registered in the registry key:

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\PostNotCached

This script, in some cases, is then automatically run by Internet Explorer, and the main backdoor script gains control.

This completes the installation.

Backdoor Commands:

• EXIT - terminates the backdoor program
  
• NOBREAK - does nothing
  
• SETCMDURL - stores new host (Web page) to communicate with
  
• RUN - run command (from argument)
  
• SENDMAIL - sends email message - SMTP is read from the "HKCU\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Server", or "mail.ru" is used in case of an error
  
• UPDATE - downloads file and stores it to the "%Cookies folder%\zshell.js"
  
• ALERT - displays a message
  
• SLEEP - waits %n% minutes (%n% is in argument)
  
• SENDCONFIRM - reports 'I am here'
  
• RUNTHESELF - restarts itself from the "%Cookies folder%\zshell.js"