Home / malware Backdoor.Waketagat
First posted on 27 May 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Waketagat.
Explanation :
When the Trojan is executed, it creates one of the following files:%ProgramFiles%\Task Shedule\csrss.exe%CommonProgramFiles%\AhnLab\AhnSvc.exe
The Trojan then creates one of the following registry entries so that it runs every time Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"SheduleSvc" = "%ProgramFiles%\Task Shedule\csrss.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"AhnUpadate" = "%CommonProgramFiles%\AhnLab\AhnSvc.exe"
Next, the Trojan opens a back door and connects to one or more of the following remote locations:[http://]woorihi.or.kr/admin/product/proc/proc[REMOVED][http://]www.ftlab.kr/admin/data/bbs/technology/tech/inde[REMOVED][http://]www.hellobetta.com/mall/flash/POPUP/[REMOVED][http://]www.aega.co.kr/mall/manual/parser/parse[REMOVED]
Trojan may then perform the following actions:
Download, upload, and execute filesRun a command promptLast update 27 May 2015
