Home / malware Backdoor.Weevil
First posted on 21 February 2014.
Source: SymantecAliases :
There are no other names known for Backdoor.Weevil.
Explanation :
When the Trojan is executed, it may creates the following files: %System%\objframe.dll C:\Documents and Settings\All Users\Application Data\Roaming\Microsoft\objframe.dll
The Trojan may then create the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}\"InprocServer32" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73 74 65 6D 33 32 5C 62 72 6F 77 73 65 75 69 2E 64 6C 6C 00"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}\"InprocServer32" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73 74 65 6D 33 32 5C 65 78 70 6C 6F 72 65 72 66 72 61 6D 65 2E 64 6C 6C 00"
Next, the Trojan may modify the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}\"InProcServer32" = "%System%\objframe.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}\"InProcServer32" = "C:\Documents and Settings\All Users\Application Data\Roaming\Microsoft\Roaming\Microsoft\objframe.dll"The Trojan then loads a malicious DLL when a specific legitimate DLL is loaded.
The Trojan searches through the compromised computer for any of the following files: %System%/CHTBRKR.DLL%System%/CHTBRKR.DLL%System%/CLICONFG.DLL%System%/DMCONFIG.DLL%System%/MFC42.DLL%System%/MFWMAAEC.DLL%System%/MSJET40.DLL%System%/ntdsa.dll%System%/oakley.dll%System%/OPENGL32.DLL%System%/PIDGENX.DLL%System%/PNPUI.DLL%System%/qmgr.dll%System%/quartz.dll%System%/VERIFIER.DLL%System%/WMDRMDEV.DLL%System%/WMDRMNET.DLL%System%/WMICMIPLUGIN.DLL%System%/WMNETMGR.DLL%System%/WPDSP.DLL
If any one of these files are found, the DLL is loaded into memory. The Trojan may then inject malicious code into the loaded DLL, which opens a back door and can steal information on the compromised computer.Last update 21 February 2014
