Home / malware Backdoor.Tinybaron
First posted on 28 May 2014.
Source: SymantecAliases :
There are no other names known for Backdoor.Tinybaron.
Explanation :
When the Trojan is executed, it modifies the following files:
%Temp% \advsec32.dll%System%\spoolcds.dll %System%\spoolcds.dll[RANDOM CHARACTERS]%System%\themeuichk.dll %System%\wlrsacert.nls %Windir%\Tasks\Watchmon Service.job %AllUsersProfile%\Documents\ntuser{[RANDOM DIGITS]}.pol%Windir%\Temp\advsec32.dll %Temp% \[RANDOM DIGITS] %Windir%\Temp\[RANDOM FILE NAME].exe %Temp% \[RANDOM FILE NAME].exe %System%\[RANDOM FILE NAME].ocx%System%\[RANDOM FILE NAME].exe %System%\[RANDOM FILE NAME].scr%UserProfile%\Application Data\Adobe\[RANDOM FILE NAME].exe%UserProfile%\Application Data\AdobeARM\AdobeARMc.dll%UserProfile%\Application Data\AdobeARM\AdobeTray.dll%UserProfile%\Start Menu\Programs\Startup\ReaderSL.lnk%AllUsersProfile%\Application Data\AdobeARM\AdobeARMc.dll%AllUsersProfile%\Start Menu\Programs\Startup\ReaderSL.lnk%SystemDrive%\Documents and Settings\NetworkService\Application Data\AdobeARM\AdobeARMc.dll%SystemDrive%\Documents and Settings\NetworkService\Application Data\AdobeARM\AdobeTray.dll%SystemDrive%\Documents and Settings\NetworkService\Start Menu\Programs\Startup\ReaderSL.lnk%CommonProgramFiles%\AdobeARM\AdobeARMd.dll
The Trojan creates the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\javatmsupHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\spoolcdsHKEY_LOCAL_MACHINE\SOFTWARE\Google\SpoolCDSHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rsacert31HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\CommonFilesHKEY_LOCAL_MACHINE\SOFTWARE\JavaSoftHKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider\S-1-5-18\Data\89c39569-6841-11d2-9f59-0000f8085266\e13059b6-3509-497a-8c18-25a7a1d021b8\IdentitiesPass
The Trojan creates the following registry values:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\"Order" = "LanMan Print Services", "Internet Print Provider", "spoolcds"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\"RSACertPath" = "%System%\[RANDOM FILE NAME].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"recovery" = "%System%\[RANDOM FILE NAME].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\"AutoRun" = "%System%\[RANDOM FILE NAME].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"recovery" = "%System%\[RANDOM FILE NAME].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid\"BitNames" = "DOT11_AUTOCONF DOT11_AUTOCONF_CLIENT DOT11_AUTOCONF_UI DOT11_FATMSM DOT11_COMMON DOT11_WLANGPA DOT11_CLASS_COINSTALLER"HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"MigrateProxy" = 0x00000001HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider\S-1-5-18\"Migrate" = 0x00000002HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider\S-1-5-18\Data 2\Windows\"Value" = [RANDOM BYTES]HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"EnableBalloonTips" = 0x00000000HKEY_USERS\.DEFAULT\Software\Microsoft\Multimedia\DrawDib\"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\"SerialIID" = [RANDOM BYTES]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"EnableBalloonTips" = 0x00000000HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\"SerialIID" = [RANDOM BYTES]HKEY_CURRENT_USER\Control Panel\Desktop\"ScreenSaveUtility" = "%System%\[RANDOM FILE NAME].scr"HKEY_CLASSES_ROOT\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\"(Default)" = "%System%\[RANDOM FILE NAME].ocx"
The Trojan opens a back door on the compromised computer, and connects to one of the following hosts through HTTP or FTP:
212.224.118.241/data/mgr.php176.74.216.1491.247.228.63/files/client.php
The Trojan may steal information from the compromised computer and send it to the host.Last update 28 May 2014
