Home / malwarePDF  

Backdoor:Win32/Mangzamel.A


First posted on 02 November 2011.
Source: SecurityHome

Aliases :

Backdoor:Win32/Mangzamel.A is also known as BackDoor-FBR (McAfee), Troj/Mangzam-A (Sophos), Program.SkServer.7 (Dr.Web), Troj/Rootkit.IJ (Sophos).

Explanation :

Backdoor:Win32/Mangzamel.A is a trojan console application that can be instructed to perform certain actions by an attacker with access to the affected computer.


Top

Backdoor:Win32/Mangzamel.A is a trojan console application that can be instructed to perform certain actions by an attacker with access to the affected computer.



Installation

This malware may be installed by another process or by a remote attacker with write access to the affected computer. The trojan accepts and responds to certain commands which are passed as arguments, for example:

  • -v - sends data that identifies the version of the trojan
  • -t - installs the binary as a service named SEVNES
  • -i - verifies that the binary was successfully installed as a service


When installed to run as a service, the registry is modified to run the malware, as in the following example:

In subkey: HKLM\System\CurrentControlSet\Services\SEVNES
Sets value: "ImagePath"
With data: "<malware path and file name>"



Analysis by Vincent Tiu

Last update 02 November 2011

 

TOP