Home / malware Backdoor:Win32/Cinasquel.A
First posted on 20 February 2013.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Cinasquel.A.
Explanation :
Installation
Backdoor:Win32/Cinasquel.A may be present in your MySQL plug-in folder as a file with a random name, such as:
cna<random numbers>.dll - for example, cna341.dll
This may indicate that the MySQL server has been compromised, thus your administrator account is likely to have been compromised as well.
Payload
Allows backdoor access and control
Backdoor:Win32/Cinasquel.A attempts to connect to a remote host via a specified port. Using this backdoor, an attacker can perform a number of actions on your computer. In the wild, we have observed this backdoor downloading arbitrary files.
The downloaded files are saved under C:\Windows\temp and then run. Examples of saved file names are:
- C:\Windows\temp\ise.exe
- C:\Windows\temp\isee.exe
Creates administrator profiles
In the wild, we have observed Backdoor:Win32/Cinasquel.A creating new administrator profiles on certain computers; below are examples of the user names it may use:
Additional information
- Morgan
- piress
Backdoor:Win32/Cinasquel.A receives a download command from the remote attacker, then checks the registry values of HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-tcp\PortNumber in order to obtain the port number for the Remote Desktop Protocol.
Once it finds a port number, the malware uses this to download additional malware from arbitrary URL.
Note: The URL is specified, and is not hard-coded in the malware.
The threat also saves the port number and operating system version in a log file under C:\windows, for example:
- C:\Windows\KB20141121.log
- C:\Windows\v3.log
Analysis by Jeong Mun
Last update 20 February 2013