Description
Win32.Mitglieder.AC is a backdoor trojan and SOCKS proxy that allows unauthorized access to a victim's machine. The trojan is distributed as a 7,824-byte FSG-compressed Win32 executable.
This threat is proactively detected by CA Antivirus solution as Win32/Bagle.Variant.Worm.
Back to top
Method of Infection
When run, it copies itself to:
%System%\window.exe
It then adds this registry value to run this copy each time Windows starts:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\window.exe = "%System%\window.exe"
These registry values are also created by the trojan:
HKCU\SOFTWARE\Timeout\uid - <8 digit number>
HKCU\SOFTWARE\Timeout\port - backdoor port number
HKCU\SOFTWARE\Timeout\pid - trojan process id
Before the trojan installs itself, it reads the process id stored in the registry value "pid" and terminates that process assuming its another instance of itself. After installation, it records its process id in the same registry value.
Back to top
Payload
It effectively functions as a Socks proxy. It can be used to redirect network traffic through the affected system, for example, to hide the true source of malicious activity on the Internet. It listens on port 14247, allowing remote access to the machine. Additionally, it accepts the following backdoor commands from its remote controller:
- Uninstall itself
- Download a file to %Windows%\iuplda.exe
- Execute files
- Change the backdoor's port
- Start SMTP service listening on port 25, which can be used for relaying emails, including spam.
It sends the value it stores in "HKCU\SOFTWARE\Timeout\uid" and the backdoor port number it listens on to the following web sites to announce the infection:
http :// bohema.amillo.net/host.php
http :// abc517.net/host.php
http :// www. abc986.net/host.php
This process is repeated every 3 hours.
Analysis by Sha-Li Hsieh
Back to top