BKDR_MOUDOOR.F
Backdoor:Win32/Moudoor.B (Microsoft), Backdoor.Win32.Inject.ycb (Kaspersky), Trojan.Gen.2 (Symantec), Gen:Variant.Zusy.5006 (FSecure), Trojan.Win32.Generic!BT (Sunbelt), PUA.Win32.Packer.InstallerVise (Clamav), W32/Farfli.NH (Fortinet), Win32.SuspectCrc (Ikarus), a variant of Win32/Farfli.NH trojan (NOD32), Trojan W32/Troj_Generic.CVLFB (Norman)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.
TECHNICAL DETAILS
116,736 bytes
EXE, DLL
30 Jul 2012
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It may be manually installed by a user.
Installation
This backdoor drops the following component file(s):
- %User Temp%\up.bak
- %System%\KB{Random Numbers}.dat
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It injects itself into the following processes running in the affected system's memory:
- csrss.exe
- lsass.exe
Autostart Technique
This backdoor adds the following lines or registry entries as part of its routine:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
Backdoor Routine
This backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:
- {BLOCKED}.{BLOCKED}.155.57