Home / malware Backdoor.Avubot
First posted on 18 December 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Avubot.
Explanation :
Once executed, the Trojan may create one of the following files:
%AppData%\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].exe%AppData%\Microsoft\Windows\[RANDOM FILE NAME].exe
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM VALUE]" = "%AppData%\Microsoft\Windows\{randome_filename}.exe"
The Trojan also creates the following registry entries:
HKEY_CURRENT_USER\Software\Google\Update\network\secure\"0" = "[HEXADECIMAL VALUE]"HKEY_CURRENT_USER\Software\Google\Update\network\secure\"1" = "[HEXADECIMAL VALUE]"HKEY_CURRENT_USER\Software\Google\Update\network\secure\"2" = "[HEXADECIMAL VALUE]"HKEY_CURRENT_USER\Software\Google\Update\network\secure\"3" = "[HEXADECIMAL VALUE]"HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\"in" = "I5U+0MmetobNGVT8VHc8QiEbFkDwqngPOVGfpsQ9nb2BhxQ2LN+60zxzsBcSfwIUuAugP1pVhYif8SI//vMrPgsF+b9d57VlckJPx0sj1di+h7n6MG+T3Qq1N4T/1P7m8IU2fML"
Next, the Trojan modifies the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "%AppData%\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].exe"
The Trojan then opens a back door on the compromised computer, and connects to the following remote location:
[http://]46.165.246.234
The Trojan may then perform the following actions:
Update itselfDownload, execute, read, write, and delete filesCreate a remote shellLast update 18 December 2015
