Home / malwarePDF  

Backdoor.Gonymdos


First posted on 16 October 2015.
Source: Symantec

Aliases :

There are no other names known for Backdoor.Gonymdos.

Explanation :

Once executed, the Trojan creates the following folder:
%ProgramFiles%\DbSecuritySpt
The Trojan creates the following files:
%ProgramFiles%\DbSecuritySpt\DbSecuritySpt.exe%ProgramFiles%\DbSecuritySpt\svch0st.exe%ProgramFiles%\windows media player\DNSProtection.exe%ProgramFiles%\windows media player\DNSSupport.exe%ProgramFiles%\windows media player\agony.exe%ProgramFiles%\windows media player\agony.sys
The Trojan also creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DbSecuritySpt\Security\"Security" = "[HEXADECIMAL VALUE]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DbSecuritySpt\"Type" = "10"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DbSecuritySpt\"Start" = "2"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DbSecuritySpt\"ObjectName" = "LocalSystem"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DbSecuritySpt\"ImagePath" = "%ProgramFiles%\DbSecuritySpt\DbSecuritySpt.exe"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DbSecuritySpt\"ErrorControl" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DBSECURITYSPT\0000\"Service" = "DbSecuritySpt"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DBSECURITYSPT\0000\"Legacy" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DBSECURITYSPT\0000\"DeviceDesc" = "DbSecuritySpt"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DBSECURITYSPT\0000\"ConfigFlags" = "0"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DBSECURITYSPT\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DBSECURITYSPT\0000\"Class" = "LegacyDriver"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DBSECURITYSPT\"NextInstance" = "1"
Next, the Trojan connects to one of the following remote locations:
36000.gwd58.commuou521.f3322.orgsay.f3322.net
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Conduct distributed denial-of-service (DDoS) attacksDownload and execute filesHide processes, files, registry entries, ports, and services

Last update 16 October 2015

 

TOP