Home / malware

PDF

Backdoor.Cohhoc

First posted on 02 December 2014.
Source: Symantec

Aliases :

There are no other names known for Backdoor.Cohhoc.

Explanation :

The Trojan has been seen being dropped by files that exploit the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).

When the Trojan is executed, it creates the following file: %UserProfile%\Start Menu\Programs\Startup\Internet Explorer .lnk
The Trojan then executes the following files if they exist on the compromised computer: %ProgramFiles%\Common Files\System\msadc\ActiveX.bat%SystemDrive%\Documents and Settings\All Users\Application Data\Adobe\ActiveX.bat%SystemDrive%\Documents and Settings\All Users\Application Data\Adobe\ActiveX.dat
The Trojan then connects to one of the following remote locations: www.adobeservice.netnspo.intarnetservice.comwebmail.intarnetservice.comgo-trust.webmailerservices.comwww6.intarnetservice.comwww.webmailerservices.comnetin.intarnetservice.com
The Trojan may then perform the following actions: Open a back doorDownload, upload, execute, and delete filesGather system information, such as the computer name, user name, operating system version, and the current timeAccess CMD.exeCapture screenshotsGather details of all drives on the compromised computer

Last update 02 December 2014

 

TOP