|
Friday, 14 January 2005 |
Backdoor.Abebot is a Trojan horse that opens a back door and lowers security settings on the compromised computer.
When Backdoor.Abebot is executed, it performs the following actions:
Creates the following copy of itself:
%System%[random file name].exe
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Adds the value:
"[random service name]" = "[random file name].exe -services"
to the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
so that the Trojan starts when Windows starts.
Adds the value:
"[random service name]" = "[random file name].exe -services -drivers"
to the registry subkey:
HKEY_USERSS-1-5-21-679724519-2691042562-2408214785-1006SOFTWARE
MicrosoftWindowsCurrentVersionRun
so that the Trojan starts when Windows starts.
Creates the following registry subkey as an infection marker:
HKEY_LOCAL_MACHINESoftwareMicrosoftConnect
Opens a back door on a random TCP port and awaits commands from the remote attacker.
The back door allows the attacker to perform the following actions on the compromised computer:
Run commands
Retrieve system information and files via FTP, HTTP, or IRC, using DCC send commands
Restart or shutdown the computer
List or kill processes
Perform denial of service attacks
Retrieve a given URL
Port Scan
Send email
Start a SOCKS4 proxy server on a random TCP port
Log keystrokes
Lowers security settings by terminating the following security-related processes:
AdDestroyer.exe
Alles-ist-vorbei.exe
Avengine.exe
Blaargh.exe
CCPXYSVC.EXE
CCSETMGR.EXE
CClaw.exe
CMESys.exe
Cheese-Burger.exe
DateManager.exe
Desktop-shooting.exe
EtherD.exe
FRW.EXE
GAMECHANNEL.EXE
GMT.exe
HijackThis.exe
IAMAPP.EXE
IAMSERV.EXE
KeenValue.exe
LOCKDOWN2000.EXE
Lookout.exe
MCAGENT.EXE
MWSOEMON.EXE
McShield.exe
Mpftray.exe
NAVAPSVC.EXE
NAVW32.exe
NISUM.EXE
NJEEVES.EXE
NMain.exe
NPROTECT.EXE
NPSSVC.EXE
NVCSCHED.EXE
Nip.exe
Nymse.exe
PAVFIRES.exe
Pavproxy.exe
PrecisionTime.exe
SAVSCAN.EXE
SNDSrvc.exe
SVCH0ST.EXE
SVCHOSL.PIF
SYS_ALERT.EXE
SearchUpgrader.exe
Smc.exe
SymWSC.exe
TBPSSvc.exe
TaskMan.exe
TeaTimer.exe
Tmntsrv.exe
VetMsg.exe
ViewMgr.exe
VirtualBouncer.exe
WUAUMQR.exe
Weather.exe
WeatherOnTray.exe
WebRebates0.exe
WebRebates1.exe
WebSavingsFromEbates0.exe
WebSavingsFromEbates1.exe
Zanda.exe
Zlh.exe
actalert.exe
apvxdwin.exe
avgcc32.exe
avgserv.exe
avpcc.exe
bargains.exe
bigfix.exe
blackd.exe
blackice.exe
cashback.exe
ccApp.exe
ccEvtMgr.exe
dllhost32.exe
dmserver.exe
drweb32w.exe
drwebscd.exe
dust.exe
ethereal.exe
evntsvc.exe
filemon.exe
firedaemon.exe
guw32.exe
hbsrv.exe
imss.exe
intrenat.exe
istsvc.exe
lockdown.exe
lockdown2000.exe
lordpe.exe
mcupdate.exe
mcvsrte.exe
mcvsshld.exe
mghtml.exe
mgui.exe
minilog.exe
mmc.exe
mostat.exe
msblast.exe
mscnt.exe
msconfig.exe
msconfig32.exe
mspmspv.exe
netmon.exe
netstat.exe
nvcoas.exe
ollydbg.exe
optimize.exe
persfw.exe
portmon.exe
procdump.exe
processmonitor.exe
rcp32.exe
regedit.exe
regmon.exe
rmss.exe
scvhosts.exe
smc.exe
sniffem.exe
spidernt.exe
spoolsrv.exe
stinger.exe
svchosts.exe
svcnet.exe
svshosts.exe
symlcsvc.exe
syscfg32.exe
sysmon.exe
system32.exe
taskkill.exe
tasklist.exe
tcpview.exe
tskill.exe
updmgr.exe
videodrv.exe
vsmain.exe
winka.exe
winppr32.exe
winsrv32.exe
winupdat.exe
winupdt.exe
wml.exe
xcommsvr.exe
zapro.exe
zlclient.exe
zonealarm.exe
Modifies the hosts file to block access to the following Web sites:
avp.com
ca.com
f-secure.com
housecall.trendmicro.com
kaspersky.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
us.mcafee.com
v4.windowsupdate.microsoft.com
v5.windowsupdate.microsoft.com
v5windowsupdate.microsoft.nsatc.net
viruslist.com
windowsupdate.com
windowsupdate.microsoft.com
www.avp.com
www.bitdefender.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.pandasoftware.com
www.ravantivirus.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
www.windowsupdate.com
www3.ca.com
|
