PHP_SIMPLESHELL.F
Backdoor:PHP/SimpleShell.A (Microsoft), PHP.Backdoor.Trojan (Symantec), Troj/PHPShl-AK (Sophos)
Windows
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be hosted on a website and run when a user accesses the said website.
TECHNICAL DETAILS
1,607 bytes
Other
03 Aug 2015
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It may be hosted on a website and run when a user accesses the said website.
Installation
This backdoor drops the following files:
- {PHP Server Document Root}\plugins\user\go.php
- {PHP Server Document Root}\images\stories\go.php
- {PHP Server Document Root}\cache\go.log
It drops the following copies of itself into the affected system:
- {PHP Server Document Root}\plugins\user\explore.php
- {PHP Server Document Root}\plugins\user\crimeirc.php
- {PHP Server Document Root}\wp-includes\wp-info.php
Other Details
This backdoor connects to the following possibly malicious URL:
- http://{BLOCKED}mu.co.kr/bbs//data/lol.txt
- http://www.{BLOCKED}et.ru/includes/js/calendar/lang/go.log