Home / malware Backdoor.Poldat
First posted on 20 November 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Poldat.
Explanation :
When the Trojan is executed, it creates the following file: %AppData%/rasctl.dll
The Trojan then creates the following registry entries: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RASCtrl\Parameters\"ServiceMain" = "NVIDIAVideo"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RASCtrl\Parameters\"ServiceDll" = "%AppData%/rasctl.dllHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RASCtrl\"Type" = "110"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RASCtrl\"Start" = "2"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RASCtrl\"ObjectName" = "LocalSystem"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RASCtrl\"ImagePath" = "%SystemDrive%\System32\svchost.exe -k netsvcs"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RASCtrl\"ErrorControl" = "0"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RASCtrl\"DisplayName" = "Remote Access Control Center"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RASCtrl\"Description" = "To provide management and control for the Routing and Remote Access Service (RAS)."
Next, the Trojan opens a back door and connects to the following remote location: [http://]xrgt.wordoscorp.com/20151119/blog/[RANDOM CHARACTERS]/[RANDOM CHA[REMOVED][http://]xrgt.wordoscorp.com/20151119/mall/[RANDOM CHARACTERS]/[RANDOM CHA[REMOVED]
The Trojan may then perform the following actions: Modify filesList local drivesTake control of servicesCapture screenshotsEmulate keyboard input allowing attackers to gain remote access
Execute commandsUpload and download filesLast update 20 November 2015
