Analysis by: Nikko Tamana
ALIASES:

W32/Simda.B!tr (Fortinet), Trojan-Spy.Win32.Zbot (Ikarus), Backdoor:Win32/Atadommoc.C (Microsoft), a variant of Win32/Injector.YQX trojan (NOD32)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 53,248 bytes
File Type: EXE
Initial Samples Received Date: 08 Nov 2012

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following files:

  • {All Users' Profile}\Application Data\COMMON.DATA

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
AutoStart = {Malware Path}

Backdoor Routine

This backdoor opens the following port(s) where it listens for remote commands:

  • 8080

Other Details

This backdoor connects to the following possibly malicious URL:

  • {BLOCKED}.{BLOCKED}.29.115
  • {BLOCKED}.{BLOCKED}.179.11
  • {BLOCKED}.{BLOCKED}.179.117
  • {BLOCKED}.{BLOCKED}.216.50
  • {BLOCKED}.{BLOCKED}.184.90
  • {BLOCKED}.{BLOCKED}.243.58
  • {BLOCKED}.{BLOCKED}.196.41
  • {BLOCKED}.{BLOCKED}.121.164
  • {BLOCKED}.{BLOCKED}.243.136

NOTES:
{Malware Path} is a variable location. It is the location of the BKDR_ATADOMMO.C executable and will vary according to where the executable has been installed.