from the doc: '- Well, at first, WMFAIN.exe needs to be executed on the target computer. This file is a 'silent' self-extracting ZIP archive that includes the following files: WMFAINS.dll WMFAINS.exe MFAINSS.bin WMFAINSC.bin WMFAINST.exe All these files will be automatically extracted to C:WindowsTemp. - Then, C:WindowsTempWMFAINST.exe will be executed, that does the following: - It copies WMFAINS.dll, WMFAINS.exe, WMFAINSS.bin and WMFAINSC.bin to the Windows directory and deletes these files from C:WindowsTemp. - Then, it creates the following registry value: HKEY LOCAL MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunWMFAINS After that, it sets its value to: percentWINDIRpercentWMFAINS.exe - At last, it starts percentWINDIRpercentWMFAINS.exe - So now WMFAINS.exe is running and will be started whenever Windows reboots. This Program does the following: - This program waits in the background until ICQ.exe is started. - When it detects ICQ, it waits for ICQ to finish initializing. - Then, it reads the data in WMFAINSS.bin and copies it into ICQ.exe's private memory at address 0x610000 (somewhere in stack space, I guess). - After that, WMFAINS.exe does the same with WMFAINSC.bin at address 0x611000. - Then WMFAINS.exe reads the jump table adress of the strlen() function that is located at 0x532658 and copies the address (the value of *(0x532658)) to 0x6101F8. - After that, WMFAINS.exe changes the jump table address of the strlen() function that ICQ.exe imports (= *(0x532658)) to 0x610000. - So why does this make sense? Well, because the jump table address of strlen() has been changed, the next time ICQ calls strlen() it will look up its address, but instead it finds 0x610000 and jumps to the code WMFAINS.exe has inserted at this location. So this little peace of machine code will do the following: - At first, it changes the jump table address of strlen() (= *(0x532658)) to its original value that WMFAINS.exe has saved at 0x6101F8 as mentioned above. So the next time strlen() is called ICQ will approach at the correct address. - Then the code loads WMFAINS.dll and saves its handle at 0x610200. - Then, WMFAINSS.bin uses GetProcAddress() to recieve the address of the stdcall function @DoStart$qqsul that WMFAINS.dll exports, Then it saves its address to 0x610204. - Then, it gets the address of the function @DoQuit$qqsv and saves the address at 0x610208 for later use. - After that, 0x610204 (= address of @DoStart$qqsul) is called with the parameter value of 15432. This is the port that WMFAINS.dll's server will be listening on. - Then the jump table address of exit() located at 0x5325C8 will be copied to 0x6101FC. - Then the address of exit() (= *(0x5325C8)) is replaced by 0x611000, where WMFAINSC.bin's code has been loaded by WMFAINS.exe. - Finally, it WMFAINSS.bin's code jumps to *(0x532658) (= strlen()'s address) to make the strlen() call continue. So ICQ.exe doesn't notice anything of what has happened and thinks it has just done a normal strlen() call. - Now, WMFAINS.dll is loaded in ICQ.exe's address space and acts silently as a server. This is described in greater detail below. But now you'll see what happens with WMFAINSC.bin: - When ICQ.exe quits, it calls exit(), but it's address has been changed to 0x611000, so WMFAINSC.bin's code gets executed: - This codes calls FreeLibrary() with the libary handle stored at 0x610200 to unload WMFAINS.dll. - Then it jumps to the address at *(0x6101FC), which is exit()'s real address. So ICQ.exe finishes unload and exits.'
Backdoor Program [Panda]Backdoor.WMFABackdoor.WMFA [Kaspersky]Backdoor/WMFA.A [Computer Associates]
wmfaclient.exewmfaconnc.exewmfain.exewmfains.exewmfainst.exewmfaunst.exe
wmfains.dll