Home / malwarePDF  

Win32/Phdet


First posted on 11 December 2012.
Source: Microsoft

Aliases :

Win32/Phdet is also known as DDos.BEnergy (Dr.Web), FDoS-BEnergy (McAfee).

Explanation :



Win32/Phdet is a family of backdoor trojans that are used to perform distributed denial of service (DDoS) attacks against specified targets.



Installation

When Win32/Phdet is run, it copies itself to the <system folder>. The file name used may differ across variants.

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".

In the wild, we have observed one variant using the file name "mssrv32.exe".

Win32/Phdet registers its copy as a service to ensure that its copy runs at each Windows start. For example, it may set the following values in the registry:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\msupdate
Sets value: "ImagePath"
With data: "<system folder>\<malware file name>", for example "C:Windows/System32\mssrv32.exe"

Sets value: "DisplayName"
With data: "Microsoft security update service"

Sets value: "Description"
With data: "This service downloading and installing Windows security updates"

Sets value: "ObjectName"
With data: "LocalSystem"

Sets value: "Start"
With data: "2"

Sets value: "ErrorControl"
With data: "0"

Sets value: "Type"
With data: "16"



Payload

Performs denial of service attacks

Win32/Phdet allows unauthorized access and control of an affected computer. Using this backdoor, an attacker can perform DDoS attacks against specified targets. A remote attacker could perform the following actions on your computer:

  • Perform "flood" (DDoS) attacks using the network protocols ICMP, SYN, HTTP or UDP
  • Disable the trojan
  • Uninstall the trojan
  • Run a specified URL using Internet Explorer


Contacts remote host

Win32/Phdet may also connect to a remote host for instructions, and to send information about your computer (such as your hard drive's serial number). We have observed one sample contacting "<removed>-off.ru" for this purpose.



Analysis by Jireh Sanico and Scott Molenkamp

Last update 11 December 2012

 

TOP

Malware :