Home / malwarePDF  

Backdoor:Win32/Faitypelf.B


First posted on 15 December 2009.
Source: SecurityHome

Aliases :

Backdoor:Win32/Faitypelf.B is also known as MSN Bot (other), Server-Proxy.Win32.RCService (Ikarus).

Explanation :

Backdoor:Win32/Faitypelf.B is a backdoor trojan that allows remote access and control. The trojan receives communication via MSN Messenger protocol from a remote attacker to carry out certain commands.
Top

Backdoor:Win32/Faitypelf.B is a backdoor trojan that allows remote access and control. The trojan receives communication via MSN Messenger protocol from a remote attacker to carry out certain commands. InstallationThis trojan may be installed by other malware or manually, by a user in a command console. The registry may be modified to run the trojan as a service using parameters specified during installation. Adds value: "<Win32/Faitypelf.B file name>"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services Adds value: "ImagePath"
With data: "<Win32/Faitypelf.B path and file name>"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\<Win32/Faitypelf.B filename> The trojan then connects to MSN Messenger servers using predefined credentials supplied by the installer and awaits connection from an attacker. Payload Allows backdoor access and controlBackdoor:Win32/Faitypelf.B functions as a MSN Messenger client and awaits connection from an attacker. The trojan responds to various commands sent from an attacker such as the following:

  • kill processes
  • execute programs
  • list current processes
  • select directory for saving files (downloads and log files)
  • set MSN display name
  • get system information (computer name, OS version, CPU type, logged in/locked status)
  • retrieve proxy settings
  • scan winlogon.exe memory for password (Windows 2000 only)
  • send Ctrl + Alt + Del
  • shutdown
  • restart
  • logoff
  • lock
  • take snapshot of the screen
  • download files via HTTP
    • Additional InformationA registry value is added to serve as an installation marker: Adds value: "msnbot"
    With data: "<installer's choice>"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion Some messages sent by the trojan are in simplified Chinese.

    Analysis by Shali Hsieh

    Last update 15 December 2009

     

    TOP

    Malware :

    Family: