Home / malware Backdoor.Mivast
First posted on 07 February 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Mivast.
Explanation :
The Trojan arrives on the compromised computer as a dropper that disguises itself as another application.
When the Trojan is executed, it creates the following files:
%Temp%\Center[RANDOM NUMBERS].dat%Temp%\msi.dll%Temp%\s.exe%Temp%\setup.msi%Temp%\MicroMedia%Temp%\MicroMedia\MediaCenter.exe
The Trojan creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Micromedia
The Trojan may inject a thread in the following location to open a back door:
svchost.exe
The Trojan may open a back door, and connect to one of the following locations:
sharepoint-vaeit.com:80extcitrix.we11point.com:80sb-ssl.google.com:80192.199.254.126/view.asp?[PARAMETERS]192.199.254.126/photo/[STRING].jpg?[PARAMETERS]
The Trojan may perform the following actions:
Open a remote shellRun basic commandsDownload and execute .exe filesRemove itself from the autorun keyRead and send data from filesGather NTLM password informationLast update 07 February 2015