BKDR_SYKIPOT.A
Backdoor.Win32.Sykipot.an [Kaspersky] Trojan:Win32/Wisp.gen!A [Microsoft]
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
TECHNICAL DETAILS
Installation
This backdoor drops the following component file(s):
- %User Temp%\bsunday.dll
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
It drops the following copies of itself into the affected system:
- %User Temp%\adobeupdate.exe
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
bsunday = "%User Temp%\adobeupdate.exe -installkys"
Other Details
This backdoor connects to the following possibly malicious URL:
- https://{BLOCKED}og.{BLOCKED}ayparty.com