Home / malware Backdoor.Weecnaw
First posted on 03 April 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Weecnaw.
Explanation :
Once executed, the Trojan copies itself to the following location:
%UserProfile%\Application Data\puush\puush.daemon.exe
It then creates the following file:
%UserProfile%\Application Data\puush\.Identifier
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"puush daemon" = "%UserProfile%\Application Data\puush\puush.daemon.exe"
It may also create the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\[RANDOM FOLDER NAME]\"StubPath" = "%UserProfile%\Application Data\puush\puush.daemon.exe"
The Trojan then opens a back door on the compromised computer, and connects to the following remote location:
herd.suid.at:42069
The Trojan may then perform the following actions:
List drivesList, delete, and move filesUpload, download, and execute filesCreate foldersList and end processesList the status of current TCP and UDP connectionsExecute shell commandsUninstall itselfLog keystrokes
The Trojan may also gather the following information from the compromised computer and send it to the attacker:
System information such as operating system type, memory, user name, and host nameUser login credentialsBrowser historyInformation stored in web browsers such as Internet Explorer, Firefox, Chrome, Opera, and SeaMonkeyEmail account informationWindows Live account informationPidgin account informationLast update 03 April 2015
