Home / malware Backdoor.Netegol
First posted on 15 April 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Netegol.
Explanation :
Once executed, the Trojan creates the following files:
%ProgramFiles%\Messenger\msmsgr.exe%UserProfile%\Templates\ieupdate.exe%UserProfile%\Templates\visit.exe
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"msmsgr" = %ProgramFiles%\Messenger\msmsgr.exe
Next, the Trojan may connect to one or more of the following command-and-control (C&C) servers:
[http://]www.autoapec.com/yzstmfa/updat[REMOVED][http://]www.autoapec.com/yzstmfa/allupd[REMOVED][http://]www.autoapec.com/yzstmfa/update[REMOVED][http://]www.autoapec.com/yzstmfa/pic1[REMOVED][http://]www.autoapec.com/yzstmfa/pic2[REMOVED][http://]www.autoapec.com/yzstmfa/pic4[REMOVED]
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Enumerate drivesSearch, list, create, rename, and delete files and foldersRead and write to filesGet size of foldersGet and set file attributesGet volume informationSet volume labelExecute filesDelete itselfCreate remote desktop sessionEnumerate running processes
The Trojan may also download and execute potentially malicious files from URLs provided by the listed C&C servers.Last update 15 April 2015
