Home / malware Backdoor.Fimlis
First posted on 14 February 2016.
Source: SymantecAliases :
There are no other names known for Backdoor.Fimlis.
Explanation :
When the Trojan is executed, it creates the following files:
%Temp%\conhost.exe
The Trojan may connect to the following location:
Port 133.100.202.85 on port 443
The Trojan performs the following actions as long as autchk.xml does not exist in the Windows directory:
Sends the tick count when the connection thread first startedSends the computer name to the remote locationReceive commands to do nothing or run a file
The Trojan may perform the following actions if it receives a command to run a file:
Download a command line to run along with an optional executableCreate a file named conhost.exe in the temporary directory
The Trojan may create the following file if conhost.exe already exists:
%Temp%\[HEXADECIMAL NUMBER]MSI[HEXADECIMAL NUMBER].exe
The Trojan may then perform the following actions:
Writes the received executable to a specific fileRun the executable with the specified command line optionsRun the command line if an executable was not includedWait for a process to exit and then delete it if an executable was written
The Trojan may perform other malicious actions by downloading and executing arbitrary files.Last update 14 February 2016
