BKDR_PIPE.CGD
Gen:Win32.ExplorerHijack.bmW@aKJBdrk(FSecure), W32/INJECTO.CGD!tr(Fortinet)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Dropped by other malware, Downloaded from the Internet
This backdoor may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It does not have any propagation routine.
It does not have any downloading capability.
It does not have any information-stealing capability.
TECHNICAL DETAILS
16,384 bytes
EXE
Yes
14 Feb 2014
Arrival Details
This backdoor may arrive bundled with malware packages as a malware component.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor injects threads into the following normal process(es):
- lsass.exe
Propagation
This backdoor does not have any propagation routine.
Download Routine
This backdoor does not have any downloading capability.
Information Theft
This backdoor does not have any information-stealing capability.
NOTES:
This backdoor creates the following named pipe:
- \\.\pipe\{BLOCKED}svc
It then connects to the pipe to receive the following commands from malicious user:
- Create file
- Open file and send file’s content
- Execute file
- Terminate self
It does not have rootkit capabilities.
It does not exploit any vulnerability.
SOLUTION
9.700
10.612.04
17 Feb 2014
10.613.00
18 Feb 2014
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product and note files detected as BKDR_PIPE.CGD
Step 3
Restart in Safe Mode
Step 4
Search and delete files detected as BKDR_PIPE.CGD
Step 5
Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_PIPE.CGD. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.