Home / malware Backdoor:MSIL/Noszbot
First posted on 23 November 2010.
Source: SecurityHomeAliases :
Backdoor:MSIL/Noszbot is also known as Trojan.Win32.Jorik.Arcdoor.cr (Kaspersky), Trojan horse Generic19.CCQO (AVG), TR/Agent.106496.DM (Avira), Trojan.Generic.5060786 (BitDefender), Trojan.DownLoader1.35390 (Dr.Web), Trojan.Win32.Generic!BT (Sunbelt Software).
Explanation :
Backdoor:MSIL/Noszbot is a detection for malware that connects to a remote server in order to retrieve commands. By allowing remote access, this backdoor can perform several actions, including downloading additional files and running any commands. This trojan may be dropped onto the affected computer by other malware such as TrojanDownloader:Java/Fbfke.A.
Top
Backdoor:MSIL/Noszbot is a detection for malware that connects to a remote server in order to retrieve commands. By allowing remote access, this backdoor can perform several actions, including downloading additional files and running any commands. Installation This trojan may be dropped onto the affected computer by other malware such as TrojanDownloader:Java/Fbfke.A. When run, Backdoor:MSIL/Noszbot copies itself to the following locations: %APPDATA%\audiohd.exe <system folder>\wudhost.exe Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Backdoor:MSIL/Noszbot modifies following registry entries to ensure the copied files run with each Windows start. In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "Windows Audio Driver" With data: "%APPDATA%\audiohd.exe" In subey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "Windows-Network Component" With data: "<system folder>\wudhost.exe" Backdoor:MSIL/Noszbot overrides the display settings so files with the 'hidden' attribute are not displayed; it does this by making the following registry modification: In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Set value: "Hidden" with data: "2" Backdoor:MSIL/Noszbot creates a mutex named "prHAxx23Xusnv" to prevent more than one instance of the trojan running at a time. Payload Contacts remote hosts Backdoor:MSIL/Noszbot may attempt to contact a remote host in order to report infection and retrieve further commands; for example, it may contact the following remote host: adm.jazteberabim.de Depending on the commands, Backdoor:MSIL/Noszbot may:Download additional files Run any commands and executables Start a Distributed Denial of Service (DDoS) attack Uninstall itself Commonly, malware may contact a remote host for the following purposes:Report a new infection to its author Download and execute arbitrary files (including updates or additional malware) Receive instruction from a remote attacker
Analysis by Shawn WangLast update 23 November 2010