My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Backdoor.IRC.Snyd.B

LOW
MEDIUM
10,240 bytes (upx packed)
(Backdoor.Win32.Breplibot.c (Kaspersky), Troj/Stinx-F (Sophos), W32/Brepibot virus (Mcafee))

Symptoms

It is virtually impossible for a normal user to detect presence of any files hidden by Sony DRM Software. See technical description below.

Prior to 10 Nov 2005 this malware was detected as BehavesLike:Win32.Sony-DRM-HiddenFile  proactively

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Patrik Vicol, virus researcher

Technical Description:

Snyd.B is an improved variant of Snyd.A
The author has corrected a few bugs and changed a few strings.

Once executed, the virus will do the following:

1. Attempt to see if it is run in a sandbox, if it is, creates mutex "Super" and exits

2. Attempts to copy itself as %SYSTEM%\$sys$xp.exe, and if it doesn't succeed, retries every 1 second

3. Verifies if it is running for the first time, if by checking existence of mutex "$sys$xp.exe". If it is, will do:

- creates the registry keys

$sys$cmp" = "$sys$xp.exe"


in

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

- attempts to bypass the windows firewall, by running a batch file that will register the trojan as a trusted program in the firewall list

- sends notification of infection to an internet address on port 8080

4. If it isn't run for the first time, will do:

- connect to 5 irc servers and joins #cell channel and waits for commands from an attacker
the commands may allow the attacker to see uptime, delete, download and execute files, and see system information (the user name is constructed from computername, username and random characters)