Home / malwarePDF  

Backdoor:Win32/Hormesu


First posted on 21 February 2012.
Source: Microsoft

Aliases :

Backdoor:Win32/Hormesu is also known as BKDR_HORMESU.AB (Trend Micro).

Explanation :

Backdoor:Win32/Hormesu is a trojan that allows backdoor access and control of the affected computer. It utilizes several components in order to install itself on a computer and to perform its payload. These components may be detected as Backdoor:Win32/Hormesu.A, Backdoor:Win32/Hormesu.B, Backdoor:Win32/Hormesu.gen!A and Backdoor:Win32/Hormesu.gen!B.


Top

Backdoor:Win32/Hormesu is a trojan that allows backdoor access and control of the affected computer. It utilizes several components in order to install itself on a computer and to perform its payload. These components may be detected as Backdoor:Win32/Hormesu.A, Backdoor:Win32/Hormesu.B, Backdoor:Win32/Hormesu.gen!A and Backdoor:Win32/Hormesu.gen!B.



Installation

When run, Backdoor:Win32/Hormesu checks if it is currently loaded in the "explorer.exe" process. If not, it exits.

It drops the following file:

%windir%\linkinfo.dll

This file (or different versions of this file) may be detected as Backdoor:Win32/Hormesu.A,Backdoor:Win32/Hormesu.gen!A or Backdoor:Win32/Hormesu.gen!B.

It may create the following mutex to ensure that only one instance of itself runs at any time:

UCCodePieceCallerMutex



Payload

Allows backdoor access and control

Backdoor:Win32/Hormesu may load the following file, and run the code inside it:

%windir%\ucgo.dat



This file may be detected as Backdoor:Win32/Hormesu.B and it provides the malware's backdoor access and control functionality.

Backdoor:Win32/Hormesu connects to the following domain to receive instructions from a remote attacker:

dashope.net

The communication between the affected computer and the remote attacker is in the form of encrypted files with a .JPG extension.

Backdoor:Win32/Hormesu may be commanded by the remote attacker to perform the following actions:

  • Check if a specific file exists and is accessible
  • Close a remotely accessible command shell
  • Create a remotely accessible command shell and process any commands sent to it
  • Delete a specified file
  • Download a file
  • Download and execute arbitrary code
  • Execute a specified file
  • Provide a list of currently running processes
  • Send targeted files, located in a particular folder on the affected computer
  • Upload a copy of a requested file
Additional information

Backdoor:Win32/Hormesu may load the file, %windir%\tp.dat instead of the file%windir%\ucgo.dat in order to perform its payload.



Analysis by Raymond Roberts

Last update 21 February 2012

 

TOP

Malware :