Home / malware

PDF

Backdoor.Weevil.B

First posted on 21 February 2014.
Source: Symantec

Aliases :

There are no other names known for Backdoor.Weevil.B.

Explanation :

When the Trojan is executed, it creates the following files:
%Temp%\___.tmp%System%\awcodc32.dll%System%\awdcxc32.dll%System%\bootfont.bin%System%\jpeg1x32.dll%System%\mfcn30.dll%System%\vchw9x.dll%System%\Drivers\scsimap.sys%System%\c_50225.nls%System%\c_50227.nls%System%\c_50229.nls%System%\Bootfont.bin
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcher = 2HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\scsimap\DisplayName = €œscsimap€HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\scsimap\ErrorControl = 1HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\scsimap\ImagePath = €œSystem32\DRIVERS\scsimap.sys€HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\scsimap\Start = 1HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\scsimap\Type = 1HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\scsimap\Enum\0 = "Root\LEGACY_SCSIMAP\0000"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\scsimap\Enum\Count = 1HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\scsimap\Enum\NextInstance = 1HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\scsimap\Security\Security = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\scsimap\Params\Value = <0xAEB8 bytes>
The Trojan opens a back door on the compromised computer and connects to one of the following locations:
nthost.shacknet.nuwww.covalent.com81.0.233.15
The Trojan may steal the following information:
Operating system informationHardware characteristicsUser informationProcessesNetwork communications
The Trojan may perform the following actions:
Sniff network trafficLog keystrokesMonitor disk activity

Last update 21 February 2014

 

TOP