Home / malware Backdoor.Edunet.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Backdoor.Edunet.A is also known as Trojan:Win32/Danmec.gen!A BDS/Backdoor.Gen.
Explanation :
The original malware file is a dropper that, after dropping the actual malware iin %WINDIR%System32 folder under the name ACPI.exe exits as a process and the deleted itself using a self-delete .bat file.
As you can see the virus masquaredes itself as a legit service that the windows operating system uses : ACPI stands for Advanced SCSI Programming Interface.
The virus is a proxy mass mailer that uses a backdoor connection to retrieve configuration data from the attacker. The interesting thing about it tries to connect to a considerable number of smtp servers that belong to universities and military centers around the world. The list of servers that were uses at testing time is :
ns.uk2.net 83.170.69.14
www.yahoo.com 87.248.113.14
www.web.de 217.72.195.42
216.245.195.34 216.245.195.34
john 192.168.13.2
mx-h.gmu.edu 129.174.0.99
prince.cceb.med.upenn.edu 128.91.204.88
smtp.service.emory.edu 170.140.52.178
mx.usc.edu 128.125.253.79
zeratul.whoi.edu 128.128.76.62
tassadar.whoi.edu 128.128.76.63
smtp-gw-ext.pima.edu 144.90.137.216
external-smtp-multi-vif.cc.columbia.edu 128.59.48.6
mail.ee.gatech.edu 130.207.225.105
mail2.mc.maricopa.edu 140.198.64.111
asg6.wright.edu 130.108.128.92
apollo.sjsu.edu 130.65.3.73
smtp02.olin.edu 209.94.128.135
mail.bc.edu 136.167.2.24
hscantispam.health.usf.edu 131.247.67.45
mx.dcn.davis.ca.us 168.150.253.5
emory.edu.s7a1.psmtp.com 64.18.6.14
mail.ece.gatech.edu 143.215.151.200
mail1.mc.maricopa.edu 140.198.64.113
asg4.wright.edu 130.108.128.91
hestia.sjsu.edu 130.65.3.74
smtp01.olin.edu 4.21.175.135
purgatory.bc.edu 136.167.2.254
uihc-mx.uihc.uiowa.edu 129.255.114.164
hscantispam.hsc.usf.edu 131.247.67.45
emory.edu.s7a2.psmtp.com 64.18.6.13
demeter.sjsu.edu 130.65.3.75
uihc-mxii.uihc.uiowa.edu 129.255.150.25
mailhub.appstate.edu 152.10.1.150
mail.lehigh.edu 128.180.2.160
emory.edu.s7b1.psmtp.com 64.18.6.11
smail7.nrl.navy.mil 132.250.1.17
emory.edu.s7b2.psmtp.com 64.18.6.10
ironport.ucc.vcu.edu 128.172.8.171
smail5.nrl.navy.mil 132.250.1.14
smtp1.etsu.edu 151.141.9.24
mailgate4.co.hennepin.mn.us 204.73.55.44
ironport2.ucc.vcu.edu 128.172.8.176
smail6.nrl.navy.mil 132.250.1.149
mx4.bucknell.edu 134.82.9.78
extrelay6.state.nd.us 165.234.64.65
mailgate5.co.hennepin.mn.us 207.225.131.11
mx5.bucknell.edu 134.82.9.77
mhub-m.tc.umn.edu 134.84.119.105
mp2.cc.umb.edu 158.121.14.102
esra.chem.sc.edu 129.252.244.5
extrelay5.state.nd.us 165.234.64.66
mx1.bucknell.edu 134.82.9.129
mhub-w.tc.umn.edu 134.84.119.8
mp1.cc.umb.edu 158.121.14.101
pennant.ceris.purdue.edu 128.210.64.11
router3.mail.cornell.edu 132.236.56.25
mx2.bucknell.edu 134.82.9.73
mhub-a.tc.umn.edu 134.84.119.205
router4.mail.cornell.edu 132.236.56.17
cluster5.us.messagelabs.com 216.82.253.19
On our tests these servers reject any connection initiated by this malware so they remain secured and immune to any attempt initiated by this particular malware to use them as relay smtp servers to deliver spam.Last update 21 November 2011