Home / malwarePDF  

Trojan:Win32/Blorso.A


First posted on 07 March 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/Blorso.A is also known as Also Known As:Backdoor.Hupigon.78143 (BitDefender), Trojan-GameThief.Win32.OnLineGames.snlo (Kaspersky), PWS-Mmorpg.gen (McAfee), BACKDOOR.Trojan (Symantec).

Explanation :

Trojan:Win32/Blorso.A is installed in the system as a service. It connects back to a remote attacker to report successful infection of the system and to wait for further commands. It enables the remote attacker to gain full control of the system.

Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Trojan:Win32/Blorso.A is installed in the system as a service. It connects back to a remote attacker to report successful infection of the system and to wait for further commands. It enables the remote attacker to gain full control of the system.

Installation
Trojan:Win32/Blorso.A arrives in the Windows system folder as a DLL file and is installed as a service. The dropped file name and service name varies from sample to sample. It loads into svchost.exe every time the system starts.

Payload
Connects to a Remote AttackerTrojan:Win32/Blorso.A may attempt to connect back to an attacker to report successful infection of the system and to wait for further commands. Some of the actions it may perform, based on commands from the attacker, are: Start a remote command line shell for the attacker
Gain full control of the system registry and services
Transfer and execute files
Log keystrokes
Shut down and restart the computer
Enable and disable the mouse, keyboards, taskbar, and so on
Obtain a snapshot of the desktop and open windows
Access the CDROM drive (such as opening and closing the drive)
Send back detailed information on the infected system
Uninstall itself

Analysis by Shawn Wang

Last update 07 March 2009

 

TOP