Method of Infection
OptixPro is configurable, so the way it installs itself varies from one instance to the next.
When run, it copies itself to either the %Windows% or %System% directory, using the configured file name. For example:
%System%\msiexec16.exe
It may also delete the original copy after installation.
Note: '%System%' and '%Windows%' are variable locations. The trojan determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
The trojan can be configured to add registry values to the following keys in order to run each time Windows starts:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
The name of the registry value also varies. For example:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GLSetIT32 = "%System%\msiexec16.exe"
It is also capable of adding entries to WIN.INI and SYSTEM.INI to launch itself on Windows 9x/ME systems.
It can also be configured to hook the execution of executable (*.exe) files by modifying the registry value:
HKCR\exefile\shell\open\command\(default)
The trojan makes another copy of itself to be launched from this registry location. For example, the following value may be set when using the default configuration settings:
HKCR\exefile\shell\open\command\(default) = c:\windows\system32\mpldfg.exe PASS "%1" %*
OptixPro may also be configured to display a fake error message when it is initially run, and can be configured to notify someone when it installs, using ICQ, HTTP, MSN messenger, IRC or SMTP.
Back to top
Payload
Backdoor Functionality
The OptixPro trojan listens on a TCP port, accepts connections from a client program, and executes commands it receives from the client. The port it listens on is configurable; the default is 3410.
The following is a partial list of functionality provided by OptixPro:
- SOCKS proxy (variable port, default 2080)
- Reboot, shutdown, suspend, etc.
- File manager - view, upload, download, execute files
- View and kill processes
- View, close, minimize Windows
- View and modify remote registry
- FTP server (variable port, default 21)
- Scan particular ports on other address ranges
- Port redirection
- Retrieve system information
- Retrieve passwords and log keystrokes
- Capture screen and web cam
Terminates Processes
OptixPro can be configured to terminate processes, especially those related to anti-virus and firewall applications. It contains a default list of AV and firewall processes to kill, but it can be configured to terminate any particular process or service.
Analysis by Hamish O'Dea
Back to top