Home / malwarePDF  

Backdoor.Alienspy


First posted on 18 April 2015.
Source: Symantec

Aliases :

There are no other names known for Backdoor.Alienspy.

Explanation :

When the Trojan is executed, it creates the following files:
%AppData%\[FOLDER NAME]\Desktop.ini%AppData%\[FOLDER NAME]\[FILE NAME]
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[REGISTRY NAME]" = ""[PATH TO JAVA RUNTIME ENVIRONMENT]" -jar "%AppData%\[FOLDER NAME]\[FILE NAME]"

The Trojan opens a back door on the compromised computer and connects to the following remote locations:
38.89.137.248:1064moneybank92.no-ip.biz:2553204.45.207.40:1077
Note: The Trojan can be configured to use any C&C server and port.

The Trojan may then perform any of the following actions:
Collect system informationRead, write, or delete filesUse remote desktop to watch user activityLog keystrokesSteal browser passwordsDownload and execute filesCapture webcam video and microphoneDisplay a message dialogOpen specified URLsUpdate and uninstall itselfShutdown and restart the C&C connectionDetect VMware and VboxTerminate or hijack antivirus product processes

Last update 18 April 2015

 

TOP