Home / malwarePDF  

Backdoor:Win32/Dedipros.A


First posted on 08 May 2012.
Source: Microsoft

Aliases :

Backdoor:Win32/Dedipros.A is also known as Backdoor:Win32/Dedipros.A (other).

Explanation :



Backdoor:Win32/Zegost.Z is a trojan that communicates with a command and control server to allow unauthorized access and control of your computer.



Installation

If this trojan is run, it drops a copy of the Dedipros into the Windows system folder, as in the following example:

  • C:\Windows\System32\nwcworkstationex.dll


During installation of the trojan, registry data is modified to run the malware when you start Windows.

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Parameters
Sets value: "ServiceDll"
To data: "<system folder>\nwcworkstationex.dll"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
Sets value: "netsvcs"
To data: "<previous data> <malware service name>"

The original copy of the trojan is deleted when the trojan service starts.



Payload

Communicates with a remote server

Backdoor:Win32/Zegost.Z attempts to connect to a remote command and control server to receive instructions that execute other payloads, such as the following:

  • Start a process
  • Clear the system event log
  • Reboot the computer
  • Terminate a thread
  • Delete a file
  • Inject malicious content into a running process
  • Download and execute arbitrary programs by issuing the command line parameter "Spider update"


We observed this trojan contacting the following servers for this purpose:

  • 222.247.50.11:8000
  • jesso.3322.org:7102




Analysis by Hong Jia

Last update 08 May 2012

 

TOP