Home / malware Backdoor.Miancha
First posted on 21 February 2014.
Source: SymantecAliases :
There are no other names known for Backdoor.Miancha.
Explanation :
When the Trojan is executed, it creates the following files:
%Windir%\.ini%Windir%\Temp\install.ocx%Windir%\Temp\instructions.pdf%Windir%\Temp\instructions64.pdf
The Trojan then creates the following registry keys so that it runs every time Windows starts:
HKUSERS\.default\Software\Classes\CLSID\{B12AE898-D056-4378-A844-6D393FE37956}\InProcServer32\@ = expand:"C:\WINDOWS\temp\install.ocx"HKUSERS\.default\Software\Classes\CLSID\{B12AE898-D056-4378-A844-6D393FE37956}\InProcServer32\"ThreadingModel" = "Apartment"
The Trojan then connects to the following remote server and opens a backdoor:
testqweasd.tk TCP port 443
It sends the following information from the compromised computer to the attacker:
System versionHost nameIP addressCPU information It also downloads and decrypts the following files from the remote location to the compromised computer:
%Windir%\Temp\pamtrop.ocx%Windir%\Temp\oiduas.ocx %Windir%\Temp\oedivs.ocx%Windir%\Temp\secivress.ocx%Windir%\Temp\tidegers.ocx%Windir%\Temp\ssecorps.ocx%Windir%\Temp\draobyeks.ocx%Windir%\Temp\llehss.ocx%Windir%\Temp\elifs.ocx%Windir%\Temp\neercss.ocxLast update 21 February 2014
