Home / malwarePDF  

Backdoor:Win32/Bergat.A


First posted on 15 July 2014.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Bergat.A.

Explanation :

Threat behavior

Installation

Backdoor:Win32/Bergat.A copies itself to c:\documents and settings\administrator\application data\microsoft\0fficekey.exe. The malware changes the following registry entries so that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "HKLM"
With data: "c:\documents and settings\administrator\application data\microsoft\0fficekey.exe" The malware creates the following files on your PC:

  • c:\documents and settings\administrator\application data\microsoft\windows\p23tlcdmg0h\p23tlcdmg0h.dat
  • c:\documents and settings\administrator\application data\microsoft\windows\p23tlcdmg0h\p23tlcdmg0h.nfo
  • c:\documents and settings\administrator\application data\microsoft\windows\p23tlcdmg0h\p23tlcdmg0h.svr
  • c:\documents and settings\administrator\local settings\temp\aut11.tmp
  • c:\documents and settings\administrator\local settings\temp\aut12.tmp
  • c:\documents and settings\administrator\local settings\temp\fcn64us.cw6
The malware uses code injection to make it harder to detect and remove. It can inject code into running processes, including the following:

  • svchost.exe


Payload

Stops processes

Backdoor:Win32/Bergat.A can stop the following processes:

  • svchost.exe
Allows backdoor access and control

The malware gives a hacker access and control of your PC. They can then perform a number of different actions, including:
  • Downloading and running files
  • Uploading files
  • Spreading malware to other PCs
  • Logging your keystrokes or stealing your sensitive data
  • Modifying your system settings
  • Running or stopping applications
  • Deleting files

This malware description was produced and published using automated analysis of file SHA1 467402dfed3567bbfa7b7cfde85cf5df8233b38a.Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

    c:\documents and settings\administrator\application data\microsoft\0fficekey.exe
    c:\documents and settings\administrator\application data\microsoft\windows\p23tlcdmg0h\p23tlcdmg0h.dat
    c:\documents and settings\administrator\application data\microsoft\windows\p23tlcdmg0h\p23tlcdmg0h.nfo
    c:\documents and settings\administrator\application data\microsoft\windows\p23tlcdmg0h\p23tlcdmg0h.svr
    c:\documents and settings\administrator\local settings\temp\aut11.tmp
    c:\documents and settings\administrator\local settings\temp\aut12.tmp
    c:\documents and settings\administrator\local settings\temp\fcn64us.cw6
  • You see these entries or keys in your registry:

    Sets value: "HKLM"
    With data: "c:\documents and settings\administrator\application data\microsoft\0fficekey.exe"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Last update 15 July 2014

 

TOP

Malware :

Family: