Home / malware Backdoor.Muirim
First posted on 16 December 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Muirim.
Explanation :
Once executed, the Trojan creates the following file:
%System%\[THREAT NAME].exe
The Trojan then creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"MMID" = "[RANDOM NUMBERS AND LETTERS]"
The Trojan may then register itself as a service.
Next, the Trojan connects to one or more of the following remote locations:
lywjrea.gmarketshop.netchep.gmarketshop.netsales.gmarketshop.netsport.gmarketshop.netmcupdate.nameserver.ns2.nameapply.anglest.netdogi.freedom.onedumb.comtbwa.sacreeflame.com
The Trojan may then perform the following actions:
List drives and filesDownload, delete, execute, and read filesCreate foldersStart a shellTerminate processesLast update 16 December 2015