Home / malware Backdoor.Backtor
First posted on 12 August 2014.
Source: SymantecAliases :
There are no other names known for Backdoor.Backtor.
Explanation :
The Trojan arrives on the computer as a fake update for the Tor anonymous browser.
When the Trojan is executed, it creates the following files: %UserProfile%\Application Data\Video\videodrv.exe%UserProfile%\Application Data\Video\videodll.exe%CurrentFolder%\vid.mkv
The Trojan also drops and executes the Tor installer in the following location:
%Temp%\torbrowser-install-3.6.3_en-US.exe
Next, the Trojan creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"videodrv"="%UserProfile%\Application Data\Video\videodrv.exe"
The Trojan then connects to the following remote location:
silkroad6cebts64.onion
The Trojan may then perform the following actions: Capture screenshotsExecute the Netcat networking utility with specific parametersExecute cmd.exe with specific parametersUpload, download and execute filesGather hard drive informationRestart the computerUpdate itselfLast update 12 August 2014