My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Backdoor.Zdoogu.F

LOW
LOW
~25 Kbytes
(Backdoor.Win32.Zdoogu.bx, BDS/Zdoogu.BX)

Symptoms

 Presence of digiwet.dll in %windir%\system32
 Presence of wiaservim.log in %windir%

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Balazs Biro, jr. virus researcher

Technical Description:

 The Backdoor copies itself to %windir%\system32\digiwet.dll with the extension and executable type changed to DLL and registers the copy to start with windows using the registry key:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
After this it launches svchost.exe, and overwrites the image of svchost.exe in memory with its payload which does the following:
It creates a file named wiaservim.log in %windir% probably to record its activity. It connects to 78.109.29.112, from there it downloads and executes a couple of files, after this it reports back to the same IP.
The downloaded executables belong to the Backdoor.IRCBot family. With their help the compromised computer can be controlled remotely using IRC (Internet Relay Chat).