Home / malware Backdoor:Win32/Turkojan.A
First posted on 04 January 2020.
Source: MicrosoftAliases :
Backdoor:Win32/Turkojan.A is also known as Troj/Agent-GMF, Backdoor.Win32.Turkojan.il, BackDoor-CZP, Infostealer.Gampass, Trojan Horse, TROJ_DELF.EFH.
Explanation :
Backdoor:Win32/Turkojan.A is a backdoor trojan that connects to a remote server, allowing an attacker to gain control of the entire system. InstallationBackdoor:Win32/Turkojan.A copies itself in the Windows folder as mstwain32.exe. It modifies the system registry so that its copy runs every time Windows starts: Adds value: "mstwain32"
With data: "%windir%mstwain32.exe"
To subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun Payload Drops Other MalwareBackdoor:Win32/Turkojan.A drops the following files: ntdtcstp.dll - detected as Trojan:Win32/Turkojan.A!dll cmsetac.dll - detected as Trojan:Win32/Turkojan.B!dll Backdoor CapabilitiesBackdoor:Win32/Turkojan.A attempts to connect to a remote server to allow an attacker to gain control over an infected system. Once connected to the remote server, an attacker can perform actions, including: Obtain passwords Sniff MSN account details Open shell Get information about the computer Get clipboard data Get process and service information Log keystrokes Download and execute arbitrary files Analysis by Matt McCormackLast update 04 January 2020
