My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Backdoor.BotGet.FtpA.Gen

MEDIUM
MEDIUM
varies
(W32/Sdbot.worm.bat.b (McAfee))

Symptoms

See technical description.
 

Removal instructions:

Recomandations are removing suspicious entries in hives

HKCU and HKLM at

\Software\Microsoft\Windows\Current Version\Run or
\Software\Microsoft\Windows\Current Version\Runservices

install the latest patches and change passwords on all accounts with administrator rights, and also check for bogus user accounts with administrator rights (created by the virus) and delete them.
 
Please see description for Backdoor.SDBot and Backdoor.RBot
 

Analyzed By

Patrik Vicol, virus researcher

Technical Description:

Backdoor.BotGet.Ftp?.Gen detects scripts used by some malicious IRC bots (eg: SDBot / RBot) and worms (eg: Lovgate) in propagation from one computer to another.

A worm/bot installed on a machine searches for other computers in the same network or even in the internet. Once it finds a computer, it sends a malformed TCP packet that will cause the target computer to execute the content of the packet (which is a batch script - Backdoor.BotGet.FtpA.Gen)

Files detected are

Backdoor.BotGet.FtpA.Gen is a batch file that runs system utility FTP.EXE with a ftp script that downloads the worm on the victim computer and executes it, deletes the ftp script and then it deletes itself (the ftp script is detected as Backdoor.BotGet.FtpB.Gen)

Computers on which such files are detected are most likely to lack security patches (windows updates) for the Windows operating system (see Backdoor.SDBot / Backdoor.Rbot descriptions) and/or have weak passwords on accounts with administrator rights.

Usually, if such a file is found on a computer in a LAN, it is very possible that other systems may have been compromised as well.