Home / malware

PDF

Backdoor.Bebsplug

First posted on 07 January 2016.
Source: Symantec

Aliases :

There are no other names known for Backdoor.Bebsplug.

Explanation :

When the Trojan is executed, it creates the following files:
%AllUsersProfile%\Application Data\SSONSVR\%AllUsersProfile%\Application Data\SSONSVR\aclmain.sdb%AllUsersProfile%\Application Data\SSONSVR\pnipcn.dll%AllUsersProfile%\Application Data\SSONSVR\ssonsvr.exe
The Trojan creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ssonsvr.exe" = "%AllUsersProfile%\Application Data\SSONSVR\ssonsvr.exe"
The Trojan may open a back door on the compromised computer, and connect to one of the following remote locations:
kop.gupdiic.companaba.empleoy-plan.compeak.measurepeak.comfinancenewsu.nettransactiona.comadobeflashupdate.dynu.comsystemupdate5.dtdns.netwinwordupdate.dynu.comsupport.yandexmailru.kradobeflashupdate1.strangled.netherman.eergh.comloomon.gupdiicc.comprdaio.unbrtel.comblueway.garmio-drive.comcrew.wichedgecrew.comhelloway.floretdog.comwww.testzake.com
The Trojan may steal the following information and send it to a remote location:
User nameComputer nameSystem informationLocal IP address
The Trojan may perform the following actions:
Execute shellcodeStart servicesStop servicesModify servicesRun processesKill running processesCheck running processesRead filesModify filesRead directoriesModify directoriesObtain drive information

Last update 07 January 2016

 

TOP