Home / malware Backdoor.Tepmim
First posted on 11 October 2014.
Source: SymantecAliases :
There are no other names known for Backdoor.Tepmim.
Explanation :
When the Trojan is executed, it creates the following files: %Temp%\svohost.bat %Temp%\0ffice1x\WINWORD.EXE %Temp%\0ffice1x\CACHED\[COMPUTER NAME]_C_[VOLUME SERIAL NUMBER].DIR %Temp%\install.reg %Temp%\BACNK.TMP %Temp%\TEMPX.CPL %Temp%\svehost.exe %Windir%\system32\nppmgmt.dll %SystemDrive%\C.lnk %SystemDrive%\recycler\Temp\TEMPX.CPL %DriveLetter%\TEMPX.CPL
Next, the Trojan creates the following registry entries: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%SystemDrive%\WINDOWS\System32\svchost.exe" = "%SystemDrive%\WINDOWS\System32\svchost.exe:*:Enabled:DNS" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASAUTO\0000\"Service" = "RasAuto" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASAUTO\0000\"Legacy" = "1" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASAUTO\0000\"DeviceDesc" = "Remote Access Auto Connection Manager" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASAUTO\0000\"ConfigFlags" = "0" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASAUTO\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASAUTO\0000\"Class" = "LegacyDriver" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASAUTO\"NextInstance" = "1" HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\"WordTray" = "%Temp%\0ffice1x\WINWORD.EXE" HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-1085031214-113007714-1417001333\000003EE\"@" = "expand:"?\00?"" HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\iusr_debug\"@" = "3ee"
The Trojan then modifies the following registry entries: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"EnableFirewall" = "0" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto\Parameters\"ServiceDll" = "expand:"%Windir%\system32\nppmgmt.dll"" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto\"Start" = "2" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"forceguest" = "0" HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-1085031214-113007714-1417001333\"@" = "5" HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\00000221\"C" = "[HEXADECIMAL VALUE]" HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\00000220\"C" = "[HEXADECIMAL VALUE]" HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\"F" = "[HEXADECIMAL VALUE]" HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\"@" = "7" HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Groups\00000201\"C" = "[HEXADECIMAL VALUE]" HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\"F" = "[HEXADECIMAL VALUE]"
Next, the Trojan connects to the following remote location through TCP port 443: webmail.india-videoer.com
The Trojan may then perform the following actions: Execute cmd.exe Enumerate drives and files Move or delete files Upload and download files Create processes Gather system information, such as the OS version, computer names, and user name.Last update 11 October 2014