Home / malware Backdoor:Win32/Cycbot.B
First posted on 29 June 2019.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Cycbot.B.
Explanation :
Backdoor:Win32/Cycbot.B is a backdoor trojan that allows attackers unauthorized access and control of an affected computer. After a computer is infected, the trojan connects to a specific remote server to receive commands from attackers. The commands may include instructing the trojan to update itself, visit web links, or download and execute arbitrary files. InstallationWhen executed, Backdoor:Win32/Cycbot.B copies itself to c:documents and settingsadministratorapplication datamicrosoftsvchost.exe.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
or subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
Adds value: "svchost"
With data: "c:documents and settingsadministratorapplication datamicrosoftsvchost.exe"
The malware creates the following files on an affected computer: c:documents and settingsadministratorapplication datamicrosoftstor.cfg c:documents and settingsadministratorapplication datamicrosoftwindowsshell.exe c:documents and settingsadministratorlocal settings empdwm.exe These files store configuration and logging information for the malware. Payload Allows backdoor access and controlBackdoor:Win32/Cycbot.B allows unauthorized access and control of an affected computer. It does so by connecting to one of a number of web servers, which may respond with commands for it to execute. It may also send status information to these servers. Examples of servers used by the malware include the following: protectyourpc-11.com qudeteyuj.cn 178.63.123.226 dolbyaudiodevice.com zoneck.com 136136.com motherboardstest.com zonejm.com freeonlinedatingtips.net blenderartists.org pcdocpro.com historykillerpro.com sharewareconnection.com xy95.cn 8minutedating.com securemywebconnection.com mywwwarchive.com testpcdriversonline.com biggamemonitoring.com bigkeystore.com internetsecure.com An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Cycbot.B. This could include, but is not limited to, the following actions: Download and execute arbitrary files Update itself Stop running Visit web links, possibly to collect money from pay-per-click advertising. Modify system settings Run or terminate applications Delete files Downloads and installs additional malware Backdoor:Win32/Cycbot.B has been observed to download and execute fake security software, such as Rogue:Win32/FakePAV. Analysis by David WoodLast update 29 June 2019