Home / malwarePDF  

Backdoor:Win32/Comfoo.B


First posted on 04 April 2012.
Source: Microsoft

Aliases :

Backdoor:Win32/Comfoo.B is also known as Trojan horse PSW.Agent.AIBA.dropper (AVG), TR/Dropper.Gen (Avira), Dropped:Trojan.Generic.5722193 (BitDefender), Trojan.DownLoader5.59827 (Dr.Web).

Explanation :

Backdoor:Win32/Comfoo.B is a trojan allows unauthorized remote access and control to an affected computer. The trojan attempts to capture and distribute sensitive information to a remote server for collection by an attacker.


Top

Backdoor:Win32/Comfoo.B is a trojan allows unauthorized remote access and control to an affected computer. The trojan attempts to capture and distribute sensitive information to a remote server for collection by an attacker.



Installation

Backdoor:Win32/Comfoo.B may be installed by other malware. When run, it drops the following files:

  • wtsc.dll
  • tronds.sys


It then registers wtsc.dll as a service, and injects it into Internet Explorer in an effort to hide its presence on the affected computer.

The kernal driver file, tronds.sys, is used to hide:

  • Network ports, by hooking NtDeviceIoControlFile
  • Processes, by hooking NtQuerySystemInformatio
  • Folders and files, by hooking NtQueryDirectoryFile


Payload

Allows backdoor access and control

Backdoor:Win32/Comfoo.B allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Comfoo.B. This could include, but is not limited to, the following actions:

  • Download and execute arbitrary files
  • Upload files
  • Log keystrokes or steal sensitive data
  • Modify system settings
  • Run or terminate applications
  • Delete files


Steals sensitive information

In the wild, we have observed Backdoor:Win32/Comfoo.B stealing the following information from an affected computer:

  • Operating system version
  • CPU (Central Processing Unit)
  • Boot details
  • User account names and types
  • Drives
  • Network connection information
  • Available transport protocols
  • Netbios
  • Installed applications
  • Internet Explorer settings
  • BHO (Browser Helper Object)


The malware attempts to contact a remote server for collection by an attacker. At the time of this writing, the remote server could not be reached.



Analysis by Jim Wang

Last update 04 April 2012

 

TOP

Malware :

Family: