The new e-threat, that goes by the name of Backdoor.Yonsole has two variants (A and B) and follows in the footsteps of another retro piece of malware attacking the Master Boot Record area on hard-disk drives: the Zimuse worm.
Initially spotted on Saturday, Backdoor.Yonsole comes bundled with various applications, including what appears to be a “critical Microsoft® Windows® update”. Preliminary analysis revealed that its two variants share the same functionality, although they are somewhat different in terms of file layout.
If infection succeeds, Yonsole drops a DLL file called comres.dll in either %windir% (the A variant) or %programfiles%Internet Explorer (the B variant). Moreover, variant A also drops a second instance of the backdoor, called f[random-string]k.cmd, inside %windir%system32. While variant B of the malware attempts to inject itself into the memory space of Internet Explorer® (iexplore.exe) in order to hide its process and deter removal, the A variant injects itself in svchost.exe as a module and registers as a Windows service set to start at every boot-up. In order to avoid re-infecting an already-infected system, Backdoor.Yonsole creates a mutex object called gh0stQQ:376111502.
The randomly-named Windows service is actually the backdoor component that listens on port 8000 for the instructions a remote attacker may send. In-depth analysis has revealed that Backdoor.Yonsole can perform one of the following actions, depending on which command has been issued by the remote attacker:
1. Undoubtedly, the most dangerous feature of the malware is the fact that it can overwrite the hard-drive’s Master Boot Record area with 512 bytes of code, thus preventing the system from booting up. As soon as the MBR has been compromised and the next (re)start is performed, the operating system displays a series of 24 “=” signs (printed by the code above) and would freeze. Shortly put, the attacker can remotely take your computer out of business by simply sending a command to the backdoor.
2. Yonsole also performs a series of Registry tweaks to facilitate the backdoor connection with the Windows Terminal Service on port 61.
2.3. The backdoor is also able to download and execute a remotely-hosted file, whose link is provided by the attacker as a backdoor command.
2.4. As soon as the malware has been deployed, it automatically clears the Event Logs, in order to prevent the user from noticing the vast amount of logs created by the malware itself.
2.5. The backdoor also collects detailed information about the infected system, such as the number of processors installed onto the machine or the amount of free space available on the hard-disk drive.
2.6. Last, but not least, the remote attacker is able to shut the machine down after the MBR has been compromised. If the system is restarted, it will not be able to normally boot up Windows again.
If you have any suspicions as to whether your system has been already infected or not, you are strongly advised to run the attached removal tool. If the MBR hasn’t been overwritten yet, the removal tool will clean the system and perform a reboot. The BitDefender antivirus has also been updated with signatures to block and delete both versions of Backdoor.Yonsole, . If you already have BitDefender installed on your machine, you don’t need to run the removal tool anymore.
If your system has been compromised, you still have a chance to get your Windows® installation back by running the fixmbr command (for Windows XP systems) or a combo of bootrec.exe /fixmbr and bootrec.exe /fixboot (if you’re running either Vista or Windows 7), but you’ll have to boot up from the Windows® installation CD / DVD.
The information in this article is available courtesy of Daniel Chipiristeanu, BitDefender Malware Analyst.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners