Home / malware Backdoor.Readomesa
First posted on 07 November 2014.
Source: SymantecAliases :
There are no other names known for Backdoor.Readomesa.
Explanation :
Once executed, the Trojan creates the following files:
%Temp%\IPX[THREE DIGIT NUMBER].TMP\readme.txt%Temp%\IPX[THREE DIGIT NUMBER].TMP\libssp-0.dll%Temp%\IPX[THREE DIGIT NUMBER].TMP\ctfmon.exe%AllUsersProfile%\Application Data\readme.txt%AllUsersProfile%\Application Data\libssp-0.dll%AllUsersProfile%\Application Data\ctfmon.exe%UserProfile%\acpi64.cnm%UserProfile%\xupdater.exe
It also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"wextract_cleanup1" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 \"%Temp%\IXP[THREE DIGIT NUMBER].TMP\\""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 \"%Temp%\IXP[THREE DIGIT NUMBER].TMP\\""HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"pidgin" = "%AllUsersProfile%\Application Data\ctfmon.exe"
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform denial-of-service attacks using the following protocols:
HTTPTCPUDP
The Trojan may also connect to the following remote location in order to update itself:
[http://]ninekobe.com/ad/[REMOVED]Last update 07 November 2014
