Home / malware Backdoor:Win32/Ixeshe.B
First posted on 03 February 2010.
Source: SecurityHomeAliases :
Backdoor:Win32/Ixeshe.B is also known as W32/Hydraq.K (Authentium (Command)), Backdoor.Agent.AALF (BitDefender), Win32/Gaia.A (ESET), Backdoor.Win32.FakeAdobe (Ikarus), Trojan.Win32.Genome.erfa (Kaspersky), W32/Malware.LAFO (Norman), Trj/Passtealer.KD (Panda), Troj/PWS-BGN (Sophos), TROJ_COMELE.AJ (Trend Micro).
Explanation :
Backdoor:Win32/Ixeshe.B is a backdoor trojan that that allows remote access and control and has been observed being installed by a PDF exploit detected as Exploit:Win32/Pdfjsc.DA.
Top
Backdoor:Win32/Ixeshe.B is a backdoor trojan that that allows remote access and control and has been observed being installed by a PDF exploit detected as Exploit:Win32/Pdfjsc.DA. InstallationThis trojan may be installed and executed by Exploit:Win32/Pdfjsc.DA as the following file: %TEMP%\updater.exe When Backdoor:Win32/Ixeshe.B runs, it drops the following files: %APPDATA%\Adobe\acrotry.exe - copy of Backdoor:Win32/Ixeshe.B %windir%\tasks\temp.gif - temporary file The registry is modified to run the dropped copy at each Windows start. Adds value: "Adobe Assistant"With data: "%APPDATA%\Adobe\acrotry.exe"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Payload Allows remote access and controlBackdoor:Win32/Ixeshe.B logs onto Google.com e-mail servers hosted at "mail.google.com" using embedded username and password account credentials. The malware may utilize cached credentials to connect as well. Once the trojan has connected successfully, it attempts to connect to a remote address. Note: the trojan may fail in certain phases due to errors in its coding. Once connected, a remote attacker may perform the following actions using the affected computer: Spawn a remote Windows shell that can perform any of several commands: List all services, processes, and drives Terminate process and service Download and upload files Start a process or service Get username Get machine name and domain name Terminate shell Download and execute updates or other arbitrary files Pause/sleep a specified number of minutes
Analysis by Rodel FinonesLast update 03 February 2010
