Home / malwarePDF  

Backdoor.IRC.Snyd.B


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Backdoor.IRC.Snyd.B is also known as Backdoor.Win32.Breplibot.c, (Kaspersky.

Explanation :

Snyd.B is an improved variant of Snyd.A
The author has corrected a few bugs and changed a few strings.

Once executed, the virus will do the following:

1. Attempt to see if it is run in a sandbox, if it is, creates mutex "Super" and exits

2. Attempts to copy itself as %SYSTEM%$sys$xp.exe, and if it doesn't succeed, retries every 1 second

3. Verifies if it is running for the first time, if by checking existence of mutex "$sys$xp.exe". If it is, will do:

- creates the registry keys

$sys$cmp" = "$sys$xp.exe"

in

HKLMSoftwareMicrosoftWindowsCurrentVersionRun

HKCUSoftwareMicrosoftWindowsCurrentVersionRun

- attempts to bypass the windows firewall, by running a batch file that will register the trojan as a trusted program in the firewall list

- sends notification of infection to an internet address on port 8080

4. If it isn't run for the first time, will do:

- connect to 5 irc servers and joins #cell channel and waits for commands from an attacker
the commands may allow the attacker to see uptime, delete, download and execute files, and see system information (the user name is constructed from computername, username and random characters)

Last update 21 November 2011

 

TOP