Home / malware Backdoor.Farfli.AB
First posted on 21 November 2011.
Source: BitDefenderAliases :
Backdoor.Farfli.AB is also known as Trojan-Spy.Win32.Pophot(KAV.
Explanation :
Commonly it commes as an installer so it can drop several files, detected by Bitdefender as adware (Adware.Cinmus) or tojan-downloaders.
It modifies the memory of Explorer.exe or Winlogon.exe in order to open UDP ports.
Copies itself in %System% folder and launch the copy as a service. A registry key (and subkeys) is added with this occasion: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices[service_name], where [service_name] is composed from random characters.
It tries to access URLs from suspicious sites: setup1.tqzn.com, gs.chnsystem.com, mokead.com, zhaoyou.com, ...(e.g. setup1.tqzn.com/[removed]/barsetup.exe?queryid=50448)Last update 21 November 2011
