Home / malware Backdoor.Ardu.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Backdoor.Ardu.A.
Explanation :
This backdoor will most likely end up on a system after being downloaded by other malware (ie: Trojan.Downloader.VBS.DA) under the name %system%AutoCfg.exe
This is nothing but a big executable that carries inside its overlay a Ruby interpreter together with several runtime libraries it will need for running the infected script. After getting executed, it will drop all these files inside %temp%, including the infected script and it will run it. This will perform the following:
- retrieve local computer name
- retrieve local user name
- retrieve victims Ip address
- retrieve a file (ip.txt) from the following URL: http://www.run[removed].com/examples/ip.txt, which contains (as its name says) an IP address
- will connect to the IP address previously retrieved, on port 2009
- will send the data gathered about the victim (ip address, computer name, user name)
- listen for commands that an attacker may send; If the command contains "Goodbye", the session will be closed; any other command will be appended to the file %system%AutoCfg.bat (created by the malware)
%system% reffers to the system directory, usually c:windowssystem32Last update 21 November 2011
