These malicious programs can do with the computer all that the author wants: send and receive files, launch and delete them, display messages, delete data, reboot the computer, etc.
This type of malware is often used to connect computers to the victims of the so-called "botnets", centrally controlled by hackers for malicious purposes.
Is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. Distinguishes such Backdoors worms is that they do not propagate through the network automatically (as worms), but only for a special "command" that controls the malicious program.
Technical details
A malicious program that provides the user remote access to an infected machine. It is a Windows (PE-EXE file). Has a size of 221,184 bytes. It is written in C.
Installation
After starting the backdoor key looks in the following branches of the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
In this backdoor attempt to overwrite the contents of the file, the path to which is specified as the values enumerates key contents of your original file. In this case, to counter the anti-virus signature scanners in the copy modified 4 bytes:
At the time of writing, created copy was detected only heuristic analyzer Kaspersky Anti-Virus ("HEUR: Backdoor.Win32.Generic").
Payload
After starting the Trojan does the following:
- to control the uniqueness of its process in the system creates a unique identifier with the name:
Trying to unload the system memory processes whose names contain the substring:
almon
alsvc
alusched
apvxdwin
ashdisp
ashmaisv
ashserv
ashwebsv
avcenter
avciman
avengine
avesvc
avgnt
avguard
avp
bdagent
bdmcon
caissdt
cavrid
cavtray
ccapp
ccetvm
cclaw
ccproxy
ccsetmgr
clamtray
clamwin
counter
dpasnt
drweb
firewalln
fsaw
fsguidll
fsm32
fspex
guardxkickoff
hsock
isafe
isafe
kav
kavpf
kpf4gui
kpf4ss
livesrv
mcage
mcdet
mcshi
mctsk
mcupd
mcupdm
mcvs
mcvss
mpeng
mpfag
mpfser
mpft
msascui
mscif
msco
msfw
mskage
msksr
msmps
msmsgs
mxtask
navapsvc
nip
nipsvc
njeeves
nod32krn
nod32kui
npfmsg2
npfsvice
nscsrvce
nvcoas
nvcsched
oascl
pavfnsvr
PXAgent
pxagent
pxcons
PXConsole
savadmins
savser
scfmanager
scfservice
scftray
sdhe
sndsrvc
spbbcsvc
spidernt
spiderui
spysw
sunprotect
sunserv
sunthreate
swdoct
symlcsvc
tsanti
vba32ldr
vir.exe
vrfw
vrmo
vsmon
vsserv
webproxy
webroot
winssno
wmiprv
xcommsvr
zanda
zlcli
zlh
- Establishes a connection with the following host:
After this backdoor team attacker can boot the infected computer malware and other executes them. Downloaded files are saved in the directory:
% APPDATA% \ <rnd1> \ <rnd2>
where <rnd1>, <rnd2> - random sequence of characters.
At the time of writing, the server with the IP-address does not work.
Removal recomendations
If your computer was not protected by Antivirus and is infected with this malware, then to delete the following:
1. Restart the computer in "safe mode" (at the beginning of the boot, press and hold down the «F8», then select «Safe Mode» boot menu of Windows).
2. Check the contents of files registered in the system registry:
[HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
[HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
Remove copies created backdoor.
3. Delete files:
% APPDATA% \ <rnd1> \ <rnd2>
4. Clear the directory Temporary Internet Files, which may contain infected files.
5. Perform a full system scan with Kaspersky Antivirus Update your antivirus databases.
Other names
Backdoor.Win32.Banito.ayg («Kaspersky Lab") is also known as:
Trojan: Generic BackDoor! Cup (McAfee)
Mal / Generic-L (Sophos)
W32/OnlineGames.F.gen! Eldorado (FPROT)
TrojanDownloader: Win32/Unruy.I (MS (OneCare))
Win32/Agent.OCR trojan (Nod32)
Gen: Variant.Unruy.5 (BitDef7)
Trojan.DL.Unruy! Pyou0VCWMo4 (VirusBuster)
Win32: Malware-gen (AVAST)
Trojan-Downloader.Win32.Unruy (Ikarus)
TR/Agent.221184.BZ (AVIRA)
W32.Unruy.A (NAV)
W32/Obfuscated.FA (Norman)
Backdoor.Win32.Gpigeon2010.yf (Rising)
Backdoor.Win32.Banito.ayg [AVP] (FSecure)
Trojan.Win32.OnlineGames (Sunbelt)
Trojan.DL.Unruy! Pyou0VCWMo4 (VirusBusterBeta)
No comments:
Post a Comment