Home / malware Backdoor.Salgorea.B
First posted on 05 June 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Salgorea.B.
Explanation :
When the Trojan is executed, it creates the following files:
%SystemDrive%\Documents and Settings\All Users\Application Data\Tencent\QQ\Plugin\Com.Tencent.DirectShow\Bundle.rdb%SystemDrive%\Documents and Settings\All Users\Application Data\Tencent\QQ\qq.exe%Windir%\Tasks\QQIntlUdt.job%Windir%\Tasks\QQIntlUdt_%USERNAME%.job
The Trojan creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\mspaint\"(Default)" = "%SystemDrive%\Documents and Settings\All Users\Application Data\Tencent\QQ\Plugin\Com.Tencent.DirectShow\Bundle.rdb"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ime\"Fuzzy" = HKEY_LOCAL_MACHINE\SOFTWARE\ATI Technologies\Install\SouthBridge\ATI_AHCI_RAID\"Accessibility,2.0.0.0,,b03f5f7f11d50a3a,msil" ="130774016927030000"HKEY_CURRENT_USER\Software\EasyBoot Systems\"SSID" = "130774016927030000"HKEY_CLASSES_ROOT\.rpi\@ = "rpifile"
The Trojan injects code and the Bundle.rdb file into the following location:
msiexec.exe
The Trojan will use the injected code to call the following to load the Bundle.rdb file:
LoadLibraryW()
Note: Bundle.rdb is actually a DLL file.
The Trojan opens a back door on the compromised computer, and connects to one of the following locations:
active.soariz.comsin04s01.llstpaz.comzone.mizove.com
The Trojan may set the following environment variables:
VarName = "{55F154C0-CDAF-45C4-9A1A-852FF51F951E}"Value = "{55F154C0-CDAF-45C4-9A1A-852FF51F951E}"
The Trojan may perform the following actions:
Load libraries and run exported functionsRead filesWrite filesDelete filesCreate directoriesTerminate processesEnumerate registry keysCollect system informationLast update 05 June 2015
