Home / malware Backdoor:Win32/Netbot.D
First posted on 30 May 2012.
Source: MicrosoftAliases :
Backdoor:Win32/Netbot.D is also known as Win32/Heri (AVG), Trojan.MulDrop3.48948 (Dr.Web), Generic.evx!bx (McAfee), Mal/Generic-L (Sophos).
Explanation :
Backdoor:Win32/Netbot.D is a trojan that contacts a remote command and control (C&C) server to send information about your computer and to download and execute files.
Installation
When run, this trojan creates a file in the Windows system folder named "rzmctfy.cc3" and modifies your system registry to run the dropped file when you start Windows.
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\svchost
Sets value: "Description"
To data: " monitor the system security settings and configuration services."
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\svchost\Parameters
Sets value: "ServiceDll"
To data: "<system folder>\rzmctfy.cc3"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
Sets value: "start"
With data: "svchost"
Payload
Downloads files
Backdoor:Win32/Netbot.D tries to contact a server named "lineagegame.no-ip.info" using TCP port 9527. Once connected, the trojan could send information about your computer, such as the version of Windows, or screen captures. The trojan could also download a specified file from the server and execute it on your computer.
Analysis by Zhitao Zhou
Last update 30 May 2012
