Home / malware Backdoor:Win32/Gaertob.A
First posted on 15 February 2019.
Source: MicrosoftAliases :
Backdoor:Win32/Gaertob.A is also known as Trojan.Win32.Buzus.ctwu, W32/Obfuscated.A!genr, Win32/Buzus.CTTV.
Explanation :
Backdoor:Win32/Gaertob.A is a trojan that allows unauthorized access and control of an affected computer. It may be ordered by a remote attacker to spread via peer-to-peer file sharing. It may also change the affected user's browser Start page. InstallationWhen executed, Backdoor:Win32/Gaertob.A copies itself to %windir%
undll.exe and modifies the registry to execute this copy at each Windows start:Adds value: "Windows Firevall Control C"
With data: "rundll.exe"To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Backdoor:Win32/Gaertob.A checks if it is loaded from one of the following processes, and if it is, it exits: sandbox honey vmware currentuser Backdoor:Win32/Gaertob.A may create the mutex "nmmxm" in order to ensure that multiple copies of the trojan do not run simultaneously. Backdoor:Win32/Gaertob.A also creates a batch file that it uses to delete its original executable. The filename of this batch file uses the following format: rmme<4 random numbers>.bat Spreads via… Peer-to-Peer file sharingWhen ordered by a remote attacker, Backdoor:Win32/Gaertob.A checks for the following folders under the Program Files directory: icqshared folder grokstermy grokster bearshareshared edonkey2000incoming emuleincoming morpheusmy shared folder limewireshared teslafiles winmxshared If the above mentioned folders are present it may drop a copy of itself to these folders using one of the following file names: HotmailHacker.exe YahooCracker.exe MSNHacks.exe paris-hilton.scr VistaUltimate-Crack.exe image.scr Porno.MPEG.exe LimeWireCrack.exe RapidsharePREMIUM.exe WildHorneyTeens.scr Ebooks.exe How-to-make-money.exe ScreenMelter.exe DDOSPING.exe Wireshark.exe Autoloader.exe FREEPORN.exe
f**ksh*tc**t.scr ilovetof**k.scr *Note: These filenames may have been modified due to their possibly offensive content.Payload Allows backdoor access and controlBackdoor:Win32/Gaertob.A allows unauthorized access and control of the affected computer. It joins a specified IRC channel and awaits commands from a remote attacker. Using this backdoor an attacker can perform the following actions: Download and execute arbitrary files Update the trojan Terminate processes Propagate via MSN Messenger by sending a copy of itself with filename _0014.jpeg-www.imageshack.exe Propagate via p2p file sharing (see Spreads via… section above for additional detail) Modifies system security settingsBackdoor:Win32/Gaertob.A modifies the following registry entry in order to add itself to the Windows firewall authorized applications list: Modifies value: "List"
With data: ":*:enabled:windows firevall control c"
To subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplications Modifies hosts fileBackdoor:Win32/Gaertob.A modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a Web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing Web sites associated with particular security-related applications (such as antivirus for example). Backdoor:Win32/Gaertob.A modifies the hosts file to redirect the following hosts to localhost (127.0.0.1): avp.com ca.com customer.symantec.com dispatch.mcafee.com download.mcafee.com f-secure.com kaspersky-labs.com kaspersky.com liveupdate.symantec.com liveupdate.symantecliveupdate.com mast.mcafee.com mcafee.com my-etrust.com nai.com networkassociates.com rads.mcafee.com scanner.novirusthanks.org secure.nai.com securityresponse.symantec.com sophos.com symantec.com threatexpert.com trendmicro.com update.symantec.com updates.symantec.com us.mcafee.com virscan.org viruslist.com viruslist.com virusscan.jotti.org virustotal.com www.avp.com www.ca.com www.f-secure.com www.grisoft.com www.grisoft.com www.kaspersky.com www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.scanner.novirusthanks.org www.sophos.com www.symantec.com www.trendmicro.com www.virscan.org www.viruslist.com www.virusscan.jotti.org www.virustotal.com Modifies browser settingsBackdoor:Win32/Gaertob.A may change the affected user's home page to: www.gllod.com Analysis by Francis Allan Tan SengLast update 15 February 2019