Home / malwarePDF  

Backdoor:Win32/Mdmbot.B


First posted on 18 January 2010.
Source: SecurityHome

Aliases :

Backdoor:Win32/Mdmbot.B is also known as Trojan.Agent.AOGG (BitDefender), Generic Spy.e (McAfee), Trojan.Hydraq (Symantec).

Explanation :

Backdoor:Win32/Mdmbot.B is a trojan that allows unauthorized access and control of an affected computer.
Top

Backdoor:Win32/Mdmbot.B is a trojan that allows unauthorized access and control of an affected computer.

Installation
In the wild, Backdoor:Win32/Mdmbot.B has been distributed with the filename rasmon.dll. When run, it copies itself to %temp%\c_1758.nls and modifies the registry to make it appear as though it is running as a system service: Adds value: "ImagePath"
With data: "<system folder>\svchost.exe -k netsvcs"To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\Ras[4 random characters] Adds value: "ServiceDll"
With data: "%temp%\c_1758.nls"To subkey: HKLM\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]\Parameters After the malicious service is started, it deletes the entry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\Ras[4 random characters] This prevents the affected user from properly stopping the malicious service. Backdoor:Win32/Mdmbot.B also creates the following registry entries in order to store configuration information:HKLM\Software\Sun\1.1.2\"IsoTp" HKLM\Software\Sun\1.1.2\"AppleTlk"

Payload
Allows backdoor access and controlBackdoor:Win32/Mdmbot.B checks to see if the following files exist on the affected computer:

  • <system folder>\acelpvc.dll
  • <system folder>\VedioDriver.dll
    • These files may be detected as the program RemoteAccess:Win32/RealVNC. If these files exist then Backdoor:Win32/Mdmbot.B utilizes them to attain remote backdoor access to the affected computer. Using this backdoor an attacker can perform a number of different actions, including:
  • Deleting itself
  • Clearing the system log
  • Deleting the file <system folder>\drivers\etc\networks.ics
  • Retrieving CPU information from the following registry entry:
    HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0
  • Shut down the affected computer
    • Connects to remote hostsBackdoor:Win32/Mdmbot.B may contact a number of specified remote hosts. Commonly, malware may contact a remote host for the following purposes:
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer


    • Analysis by Tim Liu

    Last update 18 January 2010

     

    TOP

    Malware :

    Family: