Home / malware Backdoor:Win32/Aycheh.A
First posted on 11 June 2010.
Source: SecurityHomeAliases :
Backdoor:Win32/Aycheh.A is also known as Worm.Rbot.AYDN (VirusBuster), WORM/Rbot.Gen (Avira), BackDoor!cqz (McAfee), BACKDOOR.Trojan (Symantec), BKDR_HTTBOT.EA (Trend Micro).
Explanation :
Backdoor:Win32/Aycheh.A is a trojan that has backdoor capabilities and can allow backdoor access and control of an infected computer by a remote attacker.
Top
Backdoor:Win32/Aycheh.A is a trojan that has backdoor capabilities and can allow backdoor access and control of an infected computer by a remote attacker. Installation Backdoor:Win32/Aycheh.A may create the following mutex to ensure that only one instance of itself is running:{WMI-79170F60-954E-47f3-A9A3-595F2F242B30-0810} It also creates the following non-malicious files as part of its installation process:<system folder>wmicfg32.dat %Temp%\mywmimutex.dat Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Payload Allows backdoor access and control Backdoor:Win32/Aycheh.A receives instructions via HTTP POST commands on port 80. The instructions it may receive from a remote attacker include, but are not limited to, the following: Checks if the computer has security updates installed Checks the Operating System version Downloads and executes other possible malicious files Updates itself Enumerates drives Performs file handling operations on the computer, such as copying files creating folders deleting files enumerating files executing files moving files renaming files uploading files
Analysis by Marianne MallenLast update 11 June 2010
