VIRUS NAME: BackDoor-ABH
Trojan
Characteristics
This Remote Access
Trojan masquerades as a downloader for an email client application. When
executed on the victim machine, the Trojan attempts to connect to an FTP
server. The Trojan contains the string:
'Would you
like to download Bmail.. Bmail is a talking Email software that works
with POP and other email accounts. Its works with Yahoo also. More will
be added soon..'
In addition to opening this FTP connection, the worm opens an additional
port on the victim machine, enabling remote access to the machine.
The Trojan sets the following Registry key in an attempt to run itself
at system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\_
Run "SetFTPBack" = C:\WINDOWS\SYSTEM\createsw.exe
However, in testing
the Trojan did not successfully copy itself to CREATESW.EXE in the System
directory.
Symptoms
Existence of the Registry hook detailed above
Port 5135 open on victim machine
Method Of Infection
The Trojan is designed to install itself on the victim machine upon execution.
|
