BKDR_MEDIANA.A
Trojan-Proxy.Win32.Mediana.k (Kaspersky)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This backdoor may be dropped by other malware.
It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.
TECHNICAL DETAILS
Arrival Details
This backdoor may be dropped by the following malware:
Backdoor Routine
This backdoor executes the following commands from a remote malicious user:
- Executes process
- Sets current directory
- Uploads and downloads file
- Sends list of files and drives
It connects to the following websites to send and receive information:
- www.{BLOCKED}s.com
NOTES:
;This backdoor enumerates entries in the following registry key to replace a file with its own copy:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run
It avoids replacing an .EXE file with same file name in the %Windows%\system32\dllcache folder. It also avoids replacing file with strings:
- 360
- avast
- avg
- avp
- ccApp
- dr.web
- egui
- feedback
- system
- UfSeAgnt
- updaterui
- win
The original copy of replaced file is copied to the same folder using the file name {malware file name}..exe.
SOLUTION
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 3
Scan your computer with your Trend Micro product and note files detected as BKDR_MEDIANA.A
NOTES:
Note:After identifying the malware detected as BKDR_MEDIANA.A, check if the same folder has a file with the format {malware file name}..exe. Terminate and delete the malware detected.
Rename the original file {malware file name}..exe to{malware file name}.exe.
Did this description help? Tell us how we did.