BKDR_SERVLOD.A
Backdoor.Trojan (Symantec), RDN/Generic.dx!c2j (McAfee), BehavesLike.Win32.Malware.wsc (mx-v) (Sunbelt)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following copies of itself into the affected system and executes them:
- %Windows%\Wmiservjuc.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
Autostart Technique
This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC
ImagePath = "%Windows%\Wmiservjuc.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC
DisplayName = "Windows Web Client"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC
Type = "16"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC
Description = Windows Applications to access the Inter(R) Management and Security Application using its locally-available selected network interfaces.
It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC\Enum
Other Details
This backdoor connects to the following possibly malicious URL:
- r.{BLOCKED}s.ms