Backdoor.Ardu.A
SYMPTOMS: Unusual internet activityPresence of the file %system%\AutoCfg.exe TECHNICAL DESCRIPTION: This backdoor will most likely end up on a system after being downloaded by other malware (ie: Trojan.Downloader.VBS.DA) under the name %system%\AutoCfg.exeThis is nothing but a big executable that carries inside its overlay a Ruby interpreter together with several runtime libraries it will need for running the infected script. After getting executed, it will drop all these files inside %temp%, including the infected script and it will run it. This will perform the following: - retrieve local computer name - retrieve local user name - retrieve victims Ip address - retrieve a file (ip.txt) from the following URL: http://www.run[removed].com/examples/ip.txt, which contains (as its name says) an IP address - will connect to the IP address previously retrieved, on port 2009 - will send the data gathered about the victim (ip address, computer name, user name) - listen for commands that an attacker may send; If the command contains "Goodbye", the session will be closed; any other command will be appended to the file %system%\AutoCfg.bat (created by the malware) %system% reffers to the system directory, usually c:\windows\system32 Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Lutas Andrei Vlad, virus researcher |
