Home / malware Backdoor.Govrat
First posted on 24 December 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Govrat.
Explanation :
Once executed, the Trojan creates the following file:
%UserProfile%\Application Data\Microsoft\Internet Explorer\reader_sl.exe
The Trojan then creates the following shortcut to the file:
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Reader Speed Launcher.lnk
The Trojan then creates the following mutex so that only one instance of the threat executes on the compromised computer:
Global\{91040D7A-F034-4868-85A6-C20FD27CDB6B}
Next, the Trojan may connect to one or more of the following legitimate and clean remote locations:
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txthttp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabhttp://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
The Trojan then opens a back door on the compromised computer, and connects to the following command and control (C&C) server:
microsoftware.xyz
The Trojan may then perform the following actions:
Check if it is running on a virtual machineDownload, execute, and upload filesUpload system information such as user name, computer name, and operating system version to the C&C serverLast update 24 December 2015
