Home / malware Backdoor:Win32/Comfoo.B
First posted on 04 April 2012.
Source: MicrosoftAliases :
Backdoor:Win32/Comfoo.B is also known as Trojan horse PSW.Agent.AIBA.dropper (AVG), TR/Dropper.Gen (Avira), Dropped:Trojan.Generic.5722193 (BitDefender), Trojan.DownLoader5.59827 (Dr.Web).
Explanation :
Backdoor:Win32/Comfoo.B is a trojan allows unauthorized remote access and control to an affected computer. The trojan attempts to capture and distribute sensitive information to a remote server for collection by an attacker.
Top
Backdoor:Win32/Comfoo.B is a trojan allows unauthorized remote access and control to an affected computer. The trojan attempts to capture and distribute sensitive information to a remote server for collection by an attacker.
Installation
Backdoor:Win32/Comfoo.B may be installed by other malware. When run, it drops the following files:
- wtsc.dll
- tronds.sys
It then registers wtsc.dll as a service, and injects it into Internet Explorer in an effort to hide its presence on the affected computer.
The kernal driver file, tronds.sys, is used to hide:
- Network ports, by hooking NtDeviceIoControlFile
- Processes, by hooking NtQuerySystemInformatio
- Folders and files, by hooking NtQueryDirectoryFile
Payload
Allows backdoor access and control
Backdoor:Win32/Comfoo.B allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Comfoo.B. This could include, but is not limited to, the following actions:
- Download and execute arbitrary files
- Upload files
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
Steals sensitive information
In the wild, we have observed Backdoor:Win32/Comfoo.B stealing the following information from an affected computer:
- Operating system version
- CPU (Central Processing Unit)
- Boot details
- User account names and types
- Drives
- Network connection information
- Available transport protocols
- Netbios
- Installed applications
- Internet Explorer settings
- BHO (Browser Helper Object)
The malware attempts to contact a remote server for collection by an attacker. At the time of this writing, the remote server could not be reached.
Analysis by Jim Wang
Last update 04 April 2012