Library
My library

+ Add to library

Profile

BackDoor.Hser.1

Added to the Dr.Web virus database: 2015-04-06

Virus description added:

The backdoor that can execute criminals’ commands. Instances of spreading of the Trojan via targeted mass mailing to a number of Russian defense enterprises employees were detected. The emails were supposedly sent from headquarters. The emails were titled «Дополнение к срочному поручению от 30.03.15 № УТ-103» (“Addition to an urgent task as of 03/30/15 #UT-103”) and had an attached Microsoft Excel file under the name Копия оборудование 2015.xls (Copy equipment 2015.xls).

The file contains an exploit that uses the vulnerability CVE2012-0158 existing in some versions of Microsoft Excel. Once this file is opened on a targeted computer, the excel.exe process, in which this Trojan’s dropper is embedded, is being launched.

From its body, the dropper unpacks the backdoor BackDoor.Hser.1 and saves it on a disk under the name "C:\Windows\Tasks\npkim.dll", then it registers this library in the parameters of auto boot, modifying the system registry branch [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'mcsam' = "rundll32.exe C:\Windows\Tasks\npkim.dll,RooUoo". Then the Trojan launches the application cmd.exe to delete the process file excel.exe.

Once it is launched on the infected computer, BackDoor.Hser.1 decrypts the address of the control and command server that is stored in the body of the Trojan. For that purpose it uses a4-byte key, expanding it to a 256-byte key by copying. Next, it employs a usual algorithm RC4. Requests to the command and control server are fixed-length strings encrypted with the base64 algorithm. Before being encrypted with the base64 algorithm, zeroes are added to the string to make it of a necessary length.

The backdoor can execute the following commands:

  • send to a server information about the system (operating system, presence of a proxy server in the network, name of the computer, IP address);
  • assign ID (unique identifier of the affected computer);
  • send to a server a list of active processes;
  • “kill” the process with a specified PID;
  • write data in a file (1 byte for every command);
  • run a file;
  • launch the console and execute input/output redirection to a control and command server.

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android