Home / malwarePDF  

Backdoor:Win32/Atadommoc.C


First posted on 02 May 2012.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Atadommoc.C.

Explanation :



Backdoor:Win32/Atadommoc.C is a trojan that allows an attacker to access your computer. It connects to remote hosts and may download and install additional malware onto your computer.



Installation

When executed, Atadommoc.C drops the file "common.data" to the following location:

%ALL USERS%\Application Data\common.data

This is an encrypted data file that Atadommoc uses for its payload. It then creates the following registry entry so that it executes every time your computer starts:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "AutoStart"
With data: "<Malware Path>"

Note: <Malware Path> is a variable location. This is the location of the Atadommoc.C executable and will vary according to where the trojan has been installed.

Atadommoc then checks for an active Internet connection by querying the SMTP servers a.mx.mail.yahoo.com or smtp.mail.ru using port 25.

Payload

Allows backdoor access and control

Atadommoc allows an attacker to access and control your computer. In order to do this it establishes a connection with a specified IP Address using port 8080. In-the-wild, we have observed Atadommoc connecting to the following IP addresses for this purpose:

  • 109.169.29.115
  • 202.190.179.11
  • 202.190.179.117
  • 204.12.216.50
  • 46.37.184.90
  • 50.7.243.58
  • 78.129.196.41
  • 78.159.121.164
  • 94.75.243.136


Atadommoc contains anti-virtualization mechanisms to make analyzing its behavior more difficult. It will not perform its payload if the following conditions are met:

  • If the value of the this registry entry HARDWARE\DESCRIPTION\System\VideoBiosVersion contains the string "virtualbox".
  • If the name of the physical disk drive contains any of the following strings:
    00000000000000000001
    array
    qemu
    qm00001
    sample
    vbox
    virtual
    virus
    vmware
    vx
    ware
  • If the following DLLs are loaded into any process:
    SbieDll.dll
    pstorec.dll
  • If the process "wireshark.exe" is running on the system.


This malware can also download and install a .SYS file into the computer from the above mentioned remote servers. It may save the .SYS file into the %System%\drivers folder and may install it as a service.



Analysis by Ric Robielos

Last update 02 May 2012

 

TOP

Malware :

Family: