Home / malwarePDF  

Backdoor.Credmines


First posted on 25 June 2015.
Source: Symantec

Aliases :

There are no other names known for Backdoor.Credmines.

Explanation :

When the Trojan is executed, it creates the following files:
%CurrentFolder%\The list of names.xls%UserProfile%\Application Data\Microsoft\Protect\CRED
The Trojan creates the following registry key so it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\protect "mshta.exe "%UserProfile%\Application Data\Microsoft\Protect\CRED"
The Trojan opens a back door on the compromised computer, and connects to the following location:
[http://]mines.port0.org/commo[REMOVED]
The Trojan may steal the following information:
MD5 of volume serial numbers for each driveNetwork adapter informationComputer nameOperating system informationCurrent user nameCurrent domainIP addressProxy server
The Trojan encodes the stolen information in base 64 and sends it to the remote location.

The Trojan may download and execute potentially malicious files and scripts.

Last update 25 June 2015

 

TOP