Symptoms

Removal instructions:

Analyzed By

Technical Description:

This backdoor will most likely end up on a system after being downloaded by other malware (ie: Trojan.Downloader.VBS.DA) under the name %system%\AutoCfg.exe
This is nothing but a big executable that carries inside its overlay a Ruby interpreter together with several runtime libraries it will need for running the infected script. After getting executed, it will drop all these files inside %temp%, including the infected script and it will run it. This will perform the following:
- retrieve local computer name
- retrieve local user name
- retrieve victims Ip address
- retrieve a file (ip.txt) from the following URL: http://www.run[removed].com/examples/ip.txt, which contains (as its name says) an IP address
- will connect to the IP address previously retrieved, on port 2009
- will send the data gathered about the victim (ip address, computer name, user name)
- listen for commands that an attacker may send; If the command contains "Goodbye", the session will be closed; any other command will be appended to the file %system%\AutoCfg.bat (created by the malware)

%system% reffers to the system directory, usually c:\windows\system32