Home / malware Backdoor:Win32/Ixeshe.A
First posted on 26 January 2010.
Source: SecurityHomeAliases :
Backdoor:Win32/Ixeshe.A is also known as W32/Malware.KWKK (Norman), Backdoor.Remote.A (VirusBuster), Troj/Bckdr-RAS (Sophos), BACKDOOR.Trojan (Symantec).
Explanation :
Backdoor:Win32/Ixeshe.A is a backdoor trojan that allows remote access and control of a computer. In the wild, this trojan is known to be dropped by another malware, Exploit:Win32/Pdfjsc.DA.
Top
Backdoor:Win32/Ixeshe.A is a backdoor trojan that allows remote access and control of a computer. In the wild, this trojan is known to be dropped by another malware, Exploit:Win32/Pdfjsc.DA. InstallationBackdoor:Win32/Ixeshe.A is known to be installed by other malware, such as Exploit:Win32/Pdfjsc.DA, as the following file: %TEMP%\Updater.exe It modifies the sytem registry so that it automatically runs every time Windows starts: Adds value: "UAVSet"
With data: "%TEMP%\Updater.exe"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Payloads Allows remote access and controlBackdoor:Win32/Ixeshe.A connects to the following remote addresses:140.136.148.42 140.136.202.49 To perform this action, it bypasses the computer's Web proxy if enabled. Once connected, a remote attacker may perform the following actions in the infected computer:Download files Upload files Execute files (this may include malware binaries and arbitrary files) Execute remote commands Create a modified copy of windows CMD.EXE with the name specified by the remote attacker
Analysis by Rodel FinonesLast update 26 January 2010
