Home / malware Backdoor.Grexden
First posted on 07 May 2014.
Source: SymantecAliases :
There are no other names known for Backdoor.Grexden.
Explanation :
The Trojan is usually dropped by a specially crafted document which exploits the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).
When the Trojan is executed, it creates the following files:C:\Documents and Settings\All Users\Application Data\Microsoft\Network\MSNETWORK.DLLC:\Documents and Settings\All Users\Application Data\Microsoft\Network\encrypt.dat
Next, it creates registry entries under the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
The Trojan then connects to the following remote locations:192.168.100.13361.128.110.37192.168.0.11414.102.246.203192.168.63.186192.168.63.98
The Trojan may then perform the following actions:Download filesCreate processesMove filesEnumerate the file systemLast update 07 May 2014
