Home / malware Trojan.Sysbug.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Sysbug.A is also known as -.
Explanation :
This backdoor is compiled with LCC and packed with UPX; it sends information with a remote site and allows that site to specify the location of a file to download and execute; it also allows connections to the computer on port 5555. It does not self replicate (it is not a virus).
When run, it will copy itself as sysdeb32.exe in the Windows folder and create the registry entry HKLMSoftwareMicrosoftWindowsCurrentVersionRunSystemDebug so that the backdoor is run at Windows start-up. It will continue execution from that location.
It calls the RegisterServiceProcess function to hide itself from the task list on Windows 9x systems.
It prepares information about the dial-up connections, email accounts, Windows version, user etc. in c: emp35.txt; it will store some hashes for this information in svc.sav in the Windows folder.
A (hidden) window is created and a timer message is sent to it every 5 seconds; upon receiving it, the backdoor checks to see if the computer is connected to the Internet (by trying to resolve "www.kernel.org" to an IP); if it is, the backdoor will communicate with finance.red-host.com to:
- get the URL of a file to download and execute from finance.red-host.com/events.php (the following data is sent: an unique ID based on the process ID and the tick count, the IP, the connection speed - the time needed to connect to www.kernel.org and exchange some data with this site - and the number of times the timer message has been received);
- post the information in c: emp35.txt to finance.red-host.com/showinfo.php (if successful, the backdoor will wait for 3 minutes before looping again).
A thread is used to listen to incoming connections on TCP port 5555; for each client that connects, an additional thread is used to exchange information with it; based on this information, the backdoor may connect to the client's specified IP and port.Last update 21 November 2011
