Home / malwarePDF  

Backdoor:Win32/Dynektos.A


First posted on 01 July 2014.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Dynektos.A.

Explanation :

Threat behavior

Installation

Backdoor:Win32/Dynektos.A creates the following files on your PC:

  • c:\documents and settings\administrator\srlptg..vbs
  • c:\documents and settings\administrator\application data\sub7\csrss.exe - detected as Backdoor:Win32/Dynektos.A
  • c:\documents and settings\administrator\betnhnzfz\xdir.exe - detected as Backdoor:Win32/Dynektos.A
  • c:\documents and settings\administrator\local settings\temp\~a21524.log


Payload

Changes system security settings

Backdoor:Win32/Dynektos.A disables the Least Privileged User Account (LUA), also known as the ?administrator in Admin Approval Mode? user type. It does this by making the following registry modifications:

Sets value: "EnableLUA"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Note: Disabling the LUA allows all applications to run by default with all administrative privileges. You won't be asked for explicit consent. Allows backdoor access and control

The malware gives a hacker access and control of your PC. They can then perform a number of different actions, including:
  • Downloading and running files
  • Uploading files
  • Spreading malware to other PCs
  • Logging your keystrokes or stealing your sensitive data
  • Modifying your system settings
  • Running or stopping applications
  • Deleting files

This malware description was produced and published using automated analysis of file SHA1 073a80959e5d380c23591c2c324fe08fa81999c1.Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

    c:\documents and settings\administrator\srlptg..vbs
    c:\documents and settings\administrator\application data\sub7\csrss.exe
    c:\documents and settings\administrator\betnhnzfz\xdir.exe
    c:\documents and settings\administrator\local settings\temp\~a21524.log
  • You see these entries or keys in your registry:

    Sets value: "EnableLUA"
    With data: "0"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Last update 01 July 2014

 

TOP

Malware :

Family: