Home / malwarePDF  

Backdoor:Win32/Bezigate.B


First posted on 18 September 2013.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Bezigate.B.

Explanation :

Threat behavior

Installation

Backdoor:Win32/Bezigate.B drops drops and runs copies of itself in one of the following folders:

  • %APPDATA%
  • %current directory%
  • %windir%


as any of the following file names:

  • 123.exe
  • 456.exe
  • microdbs.exe
  • mscon.exe
  • mscon.exe
  • msiexc.exe
  • msizap.exe
  • msupdt32.exe
  • mypass.exe
  • spsreng.exe
  • stub2546.exe
  • xtreme.exe


The malware makes the following changes to the registry to ensure that it runs each time you start your computer:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>" for example, "456"
With data: "<malware file path>" for example, "C:\Windows\456.exe"

Payload

Allows backdoor access and control

Backdoor:Win32/Bezigate.B attempts to communicate with hackers using the following combinations of domains and ports:

  • 78.184.197.86 1604
  • abdelsamed666.no-ip.com 5050
  • all.evilpacket.org 7709
  • barod.no-ip.biz 1515
  • ermenello.servegame.com 4781
  • fofo-123.no-ip.biz 1515
  • hack4ps.no-ip.info 131
  • jorlu.sytes.net 645
  • m30w.evilpacket.org 7709
  • monbebe.no-ip.org 1515
  • mrkarar.np-ip.ibz 1515
  • network-info.sytes.net 1604
  • nikt0x.no-ip.biz 1515
  • niku.uk.to 1515
  • nnqi.vicp.cc 81
  • r0x0r.no-ip.org 1515
  • rawr.evilpacket.org 7709
  • sorbbolindo.no-ip.biz 1515
  • topcumt2.zapto.org 1604
  • updupdupd.servepics.com 1604


Once it connects with a hacker, Backdoor:Win32/Bezigate.B allows backdoor access control of your computer, allowing hackers to perform any number of actions, including but not limited to:

  • Stealing information about your computer
  • Stopping and starting processes
  • Creating/removing/copying/moving/modifying files and folders
  • Open and close browser windows
  • Enumerating/modifying/starting/stopping running services
  • Enumerating and modifying the Windows registry
  • Logging keystrokes and stealing sensitive information
  • Retrieving files from your computer and sending them to the hacker




Analysis by Gabriel Plouffe, Duc Nguyen & Edgardo Diaz Jr

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    • 123.exe
    • 456.exe
    • microdbs.exe
    • mscon.exe
    • mscon.exe
    • msiexc.exe
    • msizap.exe
    • msupdt32.exe
    • mypass.exe
    • spsreng.exe
    • stub2546.exe
    • xtreme.exe

  • You see this entry in your registry:

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<malware file name>"
    With data: "<malware file path>"

Last update 18 September 2013

 

TOP

Malware :

Family: