Home / malware

PDF

Backdoor:Win32/Worksud.A

First posted on 17 September 2010.
Source: SecurityHome

Aliases :

Backdoor:Win32/Worksud.A is also known as WORM_TWITBOT.A (Trend Micro), Mehika Twitter Botnet (other).

Explanation :

Backdoor:Win32/Worksud.A is a backdoor trojan that connects to a website to receive commands. The commands could instruct the trojan to perform actions such as modify the local HOSTS file or download other malware. The trojan may be installed by other malware and may be part of an installed network of trojans known as a botnet.
Top

Backdoor:Win32/Worksud.A is a backdoor trojan that connects to a website to receive commands. The commands could instruct the trojan to perform actions such as modify the local HOSTS file or download other malware. InstallationThe trojan may be installed by other malware such as email spam or when visiting a malicious web page. It may be part of an installed network of trojans known as a botnet. Payload Communicates with remote siteThe trojan attempts to connect using HTTP with two websites to retrieve commands. Commands could include the following:

RestarHost - 'restore' the local HOSTS file to the following content:

# 102.54.94.97 rhino.acme.com # servidor origen
# 38.25.63.10 x.acme.com # host cliente x

AddHost - manipulate the local HOSTS file

NewHost - manipulate the local HOSTS file

Download - download malware

Visited - force victim to visit a specific website

Messenger - spread itself by MSN Messenger

SendMail - send collected information back to predefined email address

HomePage - modify web browser home page

The trojan was observed making connections with the following servers: 193.164.133.57/~duskrow/Twi*ter twitter.com/statuses/user_ti*eline/118177052.rss7

Analysis by Tim Liu

Last update 17 September 2010

 

TOP