Home / malware Backdoor:Win32/Belmoo.A
First posted on 29 October 2010.
Source: SecurityHomeAliases :
Backdoor:Win32/Belmoo.A is also known as Win32/Belmoo (Norman), BKDR_NINDYA.A (Trend Micro).
Explanation :
Backdoor:Win32/Belmoo.A is a trojan that opens TCP port 443 and could allow a connection from a remote attacker.
Top
Backdoor:Win32/Belmoo.A is a trojan that opens TCP port 443 and could allow a connection from a remote attacker. InstallationIn the wild, this trojan is known to be delivered via JavaScript when browsing a hacked website using the web browser Firefox. When run, the trojan copies itself as the following file: %windir%\temp\symantec.exe The registry is modified to run the trojan at each Windows start. In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunSets value: "Microsoft Windows Update"To data: "%windir%\temp\symantec.exe" Payload Allows backdoor remote access and controlBackdoor:Win32/Belmoo.A checks for Internet connectivity by connecting to the domain "update.microsoft.com" using TCP port 80. The trojan then attempts to connect to the site "l-3com.dyndns-work.com" using TCP port 443, allowing backdoor remote access and control. If the connection attempt fails, the trojan attempts to connect to the site "l-3com.dyndns.tv" using TCP port 80.
Analysis by Jaime WongLast update 29 October 2010
