Bandok Keylogger Trojan

October 21, 2010

SonicWALL UTM Research received reports of new backdoor Trojan being spammed in the wild. The trojan arrives via email as an attachment.

If the user downloads and executes the file attachment from the email then it performs the following activities on the victim machine:

  • Process Information:
    • It creates the following processes
      • firefox.exe
      • cfmon_.exe
    • It creates the following mutexes
      • BEN333JDJDJ
      • fHDVQUw
  • Network Activity:
    • It connects to {removed}.com and downloads the following files.
    • screenshot

    • It uploads hardvested information back to the same domain. Here is screenshot of currently harvested user information as seen on the domain indexed by username.
    • screenshot

  • File Activity:

    It creates the following files

    • %windir%system32dreambupl.dll
    • %windir%system32dreambupws.dll
    • %windir%system32dreambupws.dll
    • %windir%system32dreamsqlite3.dll
    • %windir%system32dreamctfmon_.exe - Detected as GAV: Bandok.WG_2 (Trojan)
    • %windir%system32dreamdreamwaver.exe (copy of itself) - Detected as GAV: Bandok.WG (Trojan)
    • %windir%system32dream.bns
    • %windir%system32dreamblogs{DD}_{MM}_{YYYY}.html
    •   This file contains information about open windows and associated keystrokes which is uploaded to the domain. Sample of the file is as below: screenshot

  • Registry Activity:
    • It creates "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun {VB45O-P98RE-KJL43-NMB4-DFR3T}" with value "%windir%System32dreamdreamwaver.exe" to ensure that it runs on every reboot
  • Information Harvesting:
    • It logs keystrokes for each active application
    • It logs form data from open web sessions
    • It harvests e-mail addresses from address book

SonicWALL Gateway AntiVirus provides protection against this Bandok Trojan with the following signatures
  GAV: Bandok.WG (Trojan)
  GAV: Bandok.WG_2 (Trojan)