Home / malware

PDF

Backdoor:Win32/Aycheh.A

First posted on 11 June 2010.
Source: SecurityHome

Aliases :

Backdoor:Win32/Aycheh.A is also known as Worm.Rbot.AYDN (VirusBuster), WORM/Rbot.Gen (Avira), BackDoor!cqz (McAfee), BACKDOOR.Trojan (Symantec), BKDR_HTTBOT.EA (Trend Micro).

Explanation :

Backdoor:Win32/Aycheh.A is a trojan that has backdoor capabilities and can allow backdoor access and control of an infected computer by a remote attacker.
Top

Backdoor:Win32/Aycheh.A is a trojan that has backdoor capabilities and can allow backdoor access and control of an infected computer by a remote attacker. Installation Backdoor:Win32/Aycheh.A may create the following mutex to ensure that only one instance of itself is running:

{WMI-79170F60-954E-47f3-A9A3-595F2F242B30-0810}

It also creates the following non-malicious files as part of its installation process:

<system folder>wmicfg32.dat

%Temp%\mywmimutex.dat

Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Payload Allows backdoor access and control Backdoor:Win32/Aycheh.A receives instructions via HTTP POST commands on port 80. The instructions it may receive from a remote attacker include, but are not limited to, the following:

Checks if the computer has security updates installed

Checks the Operating System version

Downloads and executes other possible malicious files

Updates itself

Enumerates drives

Performs file handling operations on the computer, such as

copying files

creating folders

deleting files

enumerating files

executing files

moving files

renaming files

uploading files

Analysis by Marianne Mallen

Last update 11 June 2010

 

TOP