Home / malwarePDF  

Backdoor:Win32/Beastdoor.S


First posted on 12 July 2011.
Source: SecurityHome

Aliases :

Backdoor:Win32/Beastdoor.S is also known as BDS/Beastdoor.S.35 (Avira), Trojan.PWS.Stealer.437 (Dr.Web), Mal/Spy-J (Sophos).

Explanation :

Backdoor:Win32/Beastdoor.S is a trojan that allows unauthorized remote access and control to the affected computer. It also modifies certain settings on the computer.


Top

Backdoor:Win32/Beastdoor.S is a trojan that allows unauthorized remote access and control to the affected computer. It also modifies certain settings on the computer.



Installation

When run, Backdoor:Win32/Beastdoor.S copies itself to the computer using varying file names and drops a copy of itself in the Windows default folder. Some variants may pose as a JPEG file or as a stealth monitoring application.

In the wild, one sample drops the following files:

  • %windir%\msmdel.exe - copy of itself
  • %windir%\msmdel.dll - DLL component
  • %windir%\msmdel.hfa - data file


It adds the following registry entries as part of its installation routine:

In subkey: HKCU\Software\Adobe\MD
Sets value: "ma"
With data: "%windir%\msmdel.exe"
Sets value: "mc"
With data: "%windir%\msmdel.exe"
Sets value: "MDA"
With data: "%windir%\msmdel.hfa"

It also modifies the following registry entries to ensure that its copy executes at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{53B21ED2-D151-A1E2-C2C1-E32B214AA1AC}
Sets value: "StubPath"
With data: "%windir%\msmdel.exe"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\srservice
Sets value: "Start"
With data: "4"



Payload

Allows backdoor access and control
Backdoor:Win32/Beastdoor.S sends an email to a remote attacker containing infection information such as the IP address of the computer it is installed in and an open port number. It then injects code into the "explorer.exe" process and tries to open a port (usually 6666, but may vary) and waits for commands.

Using this backdoor, an attacker can perform a number of actions on an affected computer, which may include:

  • Take a screen capture
  • Record webcam video
  • Open, close, and remove CD-ROM
  • Download and execute arbitrary files
  • Swap mouse buttons
  • Control the mouse
  • Steal files from the affected computer
  • Change the time on theaffected computer
  • Send emails
  • Copy window text then send captures via email
  • Log keystrokes or steal sensitive data




Analysis by Rex Plantado

Last update 12 July 2011

 

TOP

Malware :

Family: