Backdoor.Edunet.A

( Trojan:Win32/Danmec.gen!A BDS/Backdoor.Gen )

SYMPTOMS:

You will notice increased network activity.
The infection occurs when you are asked by a web page to download a certain video codec in order to see a movie clip that you are interested in.  

TECHNICAL DESCRIPTION:

        The original malware file is a dropper that, after dropping the actual malware iin  %WINDIR%\System32 folder under the name ACPI.exe exits as a process and the deleted itself using a self-delete .bat file.
        As you can see the virus masquaredes itself as a legit service that the windows operating system uses : ACPI stands for Advanced SCSI Programming Interface.

       The virus is a proxy mass mailer that uses a backdoor connection to retrieve configuration data from the attacker. The interesting thing about it tries to connect to  a considerable number of smtp servers that belong to universities and military centers around the world. The list of servers that were uses at testing time is :

ns.uk2.net     83.170.69.14
www.yahoo.com     87.248.113.14
www.web.de     217.72.195.42
216.245.195.34     216.245.195.34
john     192.168.13.2
mx-h.gmu.edu     129.174.0.99
prince.cceb.med.upenn.edu     128.91.204.88
smtp.service.emory.edu     170.140.52.178
mx.usc.edu     128.125.253.79
zeratul.whoi.edu     128.128.76.62
tassadar.whoi.edu     128.128.76.63
smtp-gw-ext.pima.edu     144.90.137.216
external-smtp-multi-vif.cc.columbia.edu     128.59.48.6
mail.ee.gatech.edu     130.207.225.105
mail2.mc.maricopa.edu     140.198.64.111
asg6.wright.edu     130.108.128.92
apollo.sjsu.edu     130.65.3.73
smtp02.olin.edu     209.94.128.135
mail.bc.edu     136.167.2.24
hscantispam.health.usf.edu     131.247.67.45
mx.dcn.davis.ca.us     168.150.253.5
emory.edu.s7a1.psmtp.com     64.18.6.14
mail.ece.gatech.edu     143.215.151.200
mail1.mc.maricopa.edu     140.198.64.113
asg4.wright.edu     130.108.128.91
hestia.sjsu.edu     130.65.3.74
smtp01.olin.edu     4.21.175.135
purgatory.bc.edu     136.167.2.254
uihc-mx.uihc.uiowa.edu     129.255.114.164
hscantispam.hsc.usf.edu     131.247.67.45
emory.edu.s7a2.psmtp.com     64.18.6.13
demeter.sjsu.edu     130.65.3.75
uihc-mxii.uihc.uiowa.edu     129.255.150.25
mailhub.appstate.edu     152.10.1.150
mail.lehigh.edu     128.180.2.160
emory.edu.s7b1.psmtp.com     64.18.6.11
smail7.nrl.navy.mil     132.250.1.17
emory.edu.s7b2.psmtp.com     64.18.6.10
ironport.ucc.vcu.edu     128.172.8.171
smail5.nrl.navy.mil     132.250.1.14
smtp1.etsu.edu     151.141.9.24
mailgate4.co.hennepin.mn.us     204.73.55.44
ironport2.ucc.vcu.edu     128.172.8.176
smail6.nrl.navy.mil     132.250.1.149
mx4.bucknell.edu     134.82.9.78
extrelay6.state.nd.us     165.234.64.65
mailgate5.co.hennepin.mn.us     207.225.131.11
mx5.bucknell.edu     134.82.9.77
mhub-m.tc.umn.edu     134.84.119.105
mp2.cc.umb.edu     158.121.14.102
esra.chem.sc.edu     129.252.244.5
extrelay5.state.nd.us     165.234.64.66
mx1.bucknell.edu     134.82.9.129
mhub-w.tc.umn.edu     134.84.119.8
mp1.cc.umb.edu     158.121.14.101
pennant.ceris.purdue.edu     128.210.64.11
router3.mail.cornell.edu     132.236.56.25
mx2.bucknell.edu     134.82.9.73
mhub-a.tc.umn.edu     134.84.119.205
router4.mail.cornell.edu     132.236.56.17
cluster5.us.messagelabs.com     216.82.253.19

         On our tests these servers reject any connection initiated by this malware so they remain secured and immune to any attempt initiated by this particular malware to use them as relay smtp servers to deliver spam.

Removal instructions:

Please let BitDefender disinfect your computer.

ANALYZED BY:

Mihai Cimpoesu, Virus Researcher