Home / malwarePDF  

Backdoor.Bezigate


First posted on 14 March 2015.
Source: Symantec

Aliases :

There are no other names known for Backdoor.Bezigate.

Explanation :

The Trojan horse may arrive on the compromised computer after being dropped by other malware, through email, or after being downloaded.

When the Trojan is executed, it creates the following mutex:
[PREDETERMINED MUTEX NAME]
The Trojan copies itself to the following locations:
%Windir%\[PREDETERMINED FILE NAME].exe%CommonProgramFiles%\[PREDETERMINED FILE NAME].exe
The Trojan creates one of the following registry values:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[PREDETERMINED REGISTRY KEY NAME]" = "%Windir%\[PREDETERMINED FILE NAME].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[PREDETERMINED REGISTRY KEY NAME]" = "%Windir%\[PREDETERMINED FILE NAME].exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[PREDETERMINED REGISTRY KEY NAME]" = "%CommonProgramFiles%\[PREDETERMINED FILE NAME].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[PREDETERMINED REGISTRY KEY NAME]" = "%CommonProgramFiles%\[PREDETERMINED FILE NAME].exe"
Note: [PREDETERMINED FILE NAME], [PREDETERMINED REGISTRY KEY NAME], and [PREDETERMINED MUTEX NAME] are determined by configuration data within the Trojan.

The Trojan opens a back door, and connects to a predetermined location.

Note: The predetermined location is determined by configuration data within the Trojan.

The Trojan may perform the following actions:
List, move, and delete drivesList, move, and delete filesList processes and running Windows titlesList servicesList registry valuesKill processesMaximize, minimize, and close windowsUpload and download filesExecute shell commandsUninstall itself

Last update 14 March 2015

 

TOP