Home / malware

PDF

Backdoor.Chilurat

First posted on 08 January 2016.
Source: Symantec

Aliases :

There are no other names known for Backdoor.Chilurat.

Explanation :

When the Trojan is executed, it creates the following files:
%AllUsersProfile%\WEventsCache\data.dat%AllUsersProfile%\WEventsCache\ser.dat%AllUsersProfile%\WEventsCache\shell.dll
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMICacheEvents\"DisplayName"="WMICacheEvents Modules Service"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMICacheEvents\"Description"="WMICache information from Windows Management file"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMICacheEvents\"ImagePath"=%SystemDrive%\system32\svchost.exe -k XLServantHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMICacheEvents\Parameters\"ServiceDll"=%AllUsersProfile%\WEventsCache\shell.dllHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMICacheEvents\Parameters\"ServiceMain"="Main"
The Trojan opens a back door on the compromised computer, and connects to the following remote location:
computer.security-centers.com, TCP port 25
The Trojan may perform the following actions:
List available drivesList directoriesList filesDownload filesUpload filesExecute filesDelete filesCreate a cmd shellObtain a user listUninstall itself
The Trojan may steal the following information from the compromised computer:
Computer nameIP addressOS informationInstall timeCPU numberCPU speedPriviliges of the current user

Last update 08 January 2016

 

TOP