Home / malware Backdoor.Alienspy
First posted on 18 April 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Alienspy.
Explanation :
When the Trojan is executed, it creates the following files:
%AppData%\[FOLDER NAME]\Desktop.ini%AppData%\[FOLDER NAME]\[FILE NAME]
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[REGISTRY NAME]" = ""[PATH TO JAVA RUNTIME ENVIRONMENT]" -jar "%AppData%\[FOLDER NAME]\[FILE NAME]"
The Trojan opens a back door on the compromised computer and connects to the following remote locations:
38.89.137.248:1064moneybank92.no-ip.biz:2553204.45.207.40:1077
Note: The Trojan can be configured to use any C&C server and port.
The Trojan may then perform any of the following actions:
Collect system informationRead, write, or delete filesUse remote desktop to watch user activityLog keystrokesSteal browser passwordsDownload and execute filesCapture webcam video and microphoneDisplay a message dialogOpen specified URLsUpdate and uninstall itselfShutdown and restart the C&C connectionDetect VMware and VboxTerminate or hijack antivirus product processesLast update 18 April 2015
