Full description

Nume:	BDS/Cycbot.B.726
Descoperit pe data de:	25/11/2010
Tip:	Backdoor Server
ITW:	Da
Numar infectii raportate:	Scazut
Potential de raspandire:	Scazut
Potential de distrugere:	Mediu
Marime:	177.152 Bytes
MD5:	5A87CEFC7A2DBD28A9764853CD92AFE9
Versiune VDF:	7.10.06.140
Versiune IVDF:	7.10.14.101 - Thursday, November 25, 2010

General Metoda de raspandire:
   • Nu are rutina proprie de raspandire

Alias:
   • TrendMicro: BKDR_CYCBOT.SMIB
   • Sophos: Mal/FakeAV-IS
   • Microsoft: Backdoor:Win32/Cycbot.B

Sistem de operare:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Efecte secundare:
   • Posibilitatea accesului neautorizat la computer
   • Creeaza fisiere
   • Modificari in registri
   • Sustrage informatii

Fisiere Se copiaza in urmatoarea locatie:
• %APPDATA%\Microsoft\conhost.exe

Sunt create fisierele:

– %TEMPDIR%\csrss.exe Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Gendal.6363163

– %APPDATA%\dwm.exe Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Gendal.kdznnf

Registrii sistemului Una din urmatoarele valori este adaugata in registri pentru pornirea automata a procesului dupa reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "conhost"="%APPDATA%\Microsoft\conhost.exe"

Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   • "ProxyServer"="http=127.0.0.1:%numar%"

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Shell"="explorer.exe,%APPDATA%\dwm.exe"

Urmatoarea cheie din registri este modificata:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   Noua valoare:
   • "load"="%TEMPDIR%\csrss.exe"

Terminarea proceselor Procesele care contin urmatoarele siruri de caractere sunt oprite:
   • Avast
   • AVG
   • Avira
   • BitDefender
   • Dr.Web
   • ESET NOD32
   • Kaspersky
   • McAfee
   • Norton

Backdoor Deschide porturile:

– %fisier executat% port TCP aleator pentru a oferi functionalitate de backdoor.
– %fisier executat% port TCP aleator pentru a functiona ca server proxy.
– svchost.exe pe portul UDP 1032 pentru a oferi functionalitate de backdoor.

Servere contactate:
Urmatoarele:
   • http://**********ystemsone.com/blog/images/3521.jpg
   • http://**********lprocessoffline.com/blog/images/3521.jpg
   • http://**********airshampoo.com/blog/images/3521.jpg
   • http://**********badhead.com/blog/images/3521.jpg
   • http://**********eservermonitorings.com/blog/images/3521.jpg
   • http://**********nlinefreelibrarry.com/blog/images/3521.jpg
   • http://**********hopsonline.com/blog/images/3521.jpg
   • http://**********urityshllsonline.com/blog/images/3521.jpg
   • http://**********oroskopia.com/blog/images/3521.jpg
   • http://**********ewhoisdb.com/blog/images/3521.jpg
   • http://**********programmingshool.com/blog/images/3521.jpg
   • http://**********ssecureonline.com/blog/images/3521.jpg
   • http://**********bukaclubonline.com/blog/images/3521.jpg
   • http://**********midioz.com/blog/images/3521.jpg
   • http://**********ystemsone.com/blog/images/3522.jpg
   • http://**********lprocessoffline.com/blog/images/3522.jpg
   • http://**********airshampoo.com/blog/images/3522.jpg
   • http://**********badhead.com/blog/images/3522.jpg
   • http://**********eservermonitorings.com/blog/images/3522.jpg
   • http://**********nlinefreelibrarry.com/blog/images/3522.jpg
   • http://**********hopsonline.com/blog/images/3522.jpg
   • http://**********urityshllsonline.com/blog/images/3522.jpg
   • http://**********oroskopia.com/blog/images/3522.jpg
   • http://**********ewhoisdb.com/blog/images/3522.jpg
   • http://**********programmingshool.com/blog/images/3522.jpg
   • http://**********ssecureonline.com/blog/images/3522.jpg
   • http://**********bukaclubonline.com/blog/images/3522.jpg
   • http://**********midioz.com/blog/images/3522.jpg
   • http://**********ystemsone.com/blog/images/3523.jpg
   • http://**********lprocessoffline.com/blog/images/3523.jpg
   • http://**********airshampoo.com/blog/images/3523.jpg
   • http://**********badhead.com/blog/images/3523.jpg
   • http://**********eservermonitorings.com/blog/images/3523.jpg
   • http://**********nlinefreelibrarry.com/blog/images/3523.jpg
   • http://**********hopsonline.com/blog/images/3523.jpg
   • http://**********urityshllsonline.com/blog/images/3523.jpg
   • http://**********oroskopia.com/blog/images/3523.jpg
   • http://**********ewhoisdb.com/blog/images/3523.jpg
   • http://**********programmingshool.com/blog/images/3523.jpg
   • http://**********ssecureonline.com/blog/images/3523.jpg
   • http://**********bukaclubonline.com/blog/images/3523.jpg
   • http://**********midioz.com/blog/images/3523.jpg
   • http://**********ochrom.at/polytheism/pictures/TanzenderShiva.jpg
   • http://**********zyleafdesign.com/blog/images/share/stumble.png
   • http://**********zyleafdesign.com/blog/images/share/facebook.png
   • http://**********lsoftwaredevelopment.com/WindowsLiveWriter/web-2_0_thumb_1.gif
   • http://**********vatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be1
   • http://**********vatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be2
   • http://**********usho.com/wp-content/uploads/2010/09/web-20-what-is-300x251.jpg
   • http://**********k.com/img/icons/twitter.png
   • http://**********k.com/img/icons/facebook.png
   • http://**********lthylifenow.com/templates/7348/images/header_logo.jpg
   • http://**********lthylifenow.com/templates/7349/images/header_logo.jpg
   • http://**********landandbarrett.com/images/footer/account.jpg
   • http://**********landandbarrett.com/images/footer/account.gif
   • http://**********ionsautoelectric.com/images/50-217-1_F_1_.jpg
   • http://**********ionsautoelectric.com/images/50-217-1_F_2_.jpg
   • http://**********inebizdirectory.com/images/PowerShowBanner.gif
   • http://**********inebizdirectory.com/images/PowerHideBanner.gif
   • http://**********tpropaganda.net/blog/pics/3321.jpg
   • http://**********tpropaganda.net/blog/pics/3322.jpg
   • http://**********anesegreenteaonline.com/assets/images/greentea-cha-1.gif
   • http://**********anesegreenteaonline.com/assets/images/greentea-cha-2.gif
   • http://**********enherbalteaonline.com/images/greenherbalteagirlholdingcup250.gif
   • http://**********enherbalteaonline.com/images/greenherbalteagirlholdingcup350.gif
   • http://**********ineinstitute.com/g7/images/logo.jpg
   • http://**********ineinstitute.com/g7/images/logo2.jpg
   • http://**********ineinstitute.com/g7/images/logo3.jpg
   • http://**********ineinstitute.com/g7/images/logo4.jpg
   • http://**********inedatingsecretfriends.com/images/im133.jpg
   • http://**********inedatingsecretfriends.com/images/im134.jpg
   • http://**********stats.com/images/logo.png

Astfel se pot transmite informatii si se poate obtine control la distanta.

Trimte informatii despre:
    • Loguri create
    • adresele vizitate

Posibilitati de control la distanta:
    • Vizitarea unui website

Furt de informatii – Este pornita o rutina de logare dupa ce viziteaza un site care contine unul din urmatoarele siruri de caractere in URL:
   • .2mdn.; .abmr.; .adtechus.; .aol.; .atdmt.; .atwola.;
      .autodatadirect.; .bing.net; .dartsearch.; .doubleclick.; .ggpht.;
      .google; .ivwbox.; .mapquestapi.; .microsoft.; .opera.; .tacoda.;
      .thawte.; .tlowdb.; .truveo.; .virtualearth.; .wsod.; .yimg.com;
      .ypcdn.; amazon.; aol/search; aolcdn.; aolsvc.; bing.com;
      bing.com/search; blogger; brightcove.com; doubleclick.; ebay.; err069;
      facebook.; flickr; google.; gstatic.; imdb.; mapq.st; msn;
      scorecardresearch.com; search.aol.; search.yahoo.com/search;
      searcht2.aol.; start=; start=0; suche.aol.; twitter.; wikimedia.;
      wikipedia.; yahoo.; yahoo.com; youtube.; ytimg.

Injectarea codului malware in alte procese – Se injecteaza ca un thread remote intr-un proces.

Numele procesului:
• svchost.exe

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).

Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit urmatorul program de arhivare:
• UPX

Description inserted by Andrei Ilie on Thursday, August 4, 2011
Description updated by Andrei Ilie on Friday, August 5, 2011

Back . . . .

Become an Avira Partner

Want to be the leading provider of small and medium business security? Become an Avira partner and offer your customers powerful, cost-effective security trusted by over 100 million users worldwide.

Discover the Avira Partner Program Enroll as an Avira partner today

Already a Partner?

. . . .

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools