Home / malware Backdoor.Wofeksad
First posted on 25 March 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Wofeksad.
Explanation :
The Trojan may arrive on the compromised computer from spam emails.
When the Trojan is executed, it creates the following files:
%UserProfile%\Application Data\WMService.exe%UserProfile%\Application Data\winsms.exe%SystemDrive%\Documents and Settings\All Users\iexplore.exe%AllUsersProfile%\iexplore.exe%UserProfile%\Application Data\iexplore.exe%UserProfile%\Application Data\sMin4pnp.exe%UserProfile%\Application Data\avp32.exe%Temp%\s.bin
The Trojan creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"HotKey" = "%%UserProfile%\Application Data\WMService.exe -st"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"HotKey" = "UserProfile%\Application Data\winsms.exe -st"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"HotKey" = "%SystemDrive%\Documents and Settings\All Users\iexplore.exe -st"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"HotKey" = "%UserProfile%\Application Data\iexplore.exe -st"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"HotKey" = "%UserProfile%\Application Data\sMin4pnp.exe -st"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"HotKey" = "%%UserProfile%\Application Data\avp32.exe -st"
The Trojan may open a back door, and connect to one of the following locations:
www.cuhk.proxydns.comwww.sslquery.myz.infonhdsfes.sellclassics.comeset-windows.findhere.org
The Trojan may receive and run arbitrary commands from the remote attacker.
The Trojan may download and execute potentially malicious files.Last update 25 March 2015
