Home / malware Backdoor:Win32/Hostil.F
First posted on 08 June 2010.
Source: SecurityHomeAliases :
Backdoor:Win32/Hostil.F is also known as Win-Trojan/Sasfis.165376.C (AhnLab), Trojan.Win32.Sasfis.aaek (Kaspersky), W32/Malware.LOME (Norman), Trojan horse Small.BSP (AVG), Win32/Hostil.H (CA), Trojan.Inject.8184 (Ikarus), Generic BackDoor!cde (McAfee), Trojan.Win32.Generic.51FA9C37 (Rising AV).
Explanation :
Backdoor:Win32/Hostil.F is a backdoor trojan that allows unauthorized access and control to an affected computer.
Top
Backdoor:Win32/Hostil.F is a backdoor trojan that allows unauthorized access and control to an affected computer. InstallationWhen executed, the malware injects code into svchost.exe then copies itself to <system>regedit.exe and creates the following registry entry to ensure execution at each Windows start: Adds value: "Calc32" With data: "<system folder>\regedit.exe" To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Payload Allows backdoor access and controlThe malware allows unauthorized access and control to an affected computer. It attempts to connect to a number of specified remote hosts via Port 25. We have observed the malware contacting the following remote hosts: mxs.mail.ru alt4.gmail-smtp-in-l.google.com b.mx.mail.yahoo.com in1.smtp.messagingengine.com mx2.mailhop.org Using this backdoor functionality, an attacker may be able to download and execute other files. Additional InformationThe code injected into "SVCHost.exe" creates two mutexes with names that use the following format: mutogen<number>
Analysis by Dan KurcLast update 08 June 2010