We've been analysing the backdoor program which uses the Sony rootkit technology.
Trend Micro has told us that the backdoor was mass mailed using spamming technologies. The message sent was as follows:
Message subject:
Requesting Photo Approval
Attachment name:
article_december_3621.exe
Message body:
Hello,
Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here.
Kind regards,
Jamie Andrews
Editor
www.TotalBusiness.co.uk
**********************************************
The Professional Development Institute
**********************************************
Breplibot.b is 10240 bytes in size, and packed using UPX.
When launching, the backdoor copies itself to the Windows system directory as $SYS$DRV.EXE. Using this name makes it possible for the rootkit technology used by Sony to hide the activity of the malicious program. Of course, the backdoor's activity will only be hidden if the 'Sony rootkit' has been installed on your computer.
Once launched, the backdoor creates the following system registry key:
[HKEY_LOCAL_MACHINE]
"WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj"="$SYS$DRV.EXE"
