Home / malwarePDF  

Backdoor.Ghopapox


First posted on 16 April 2015.
Source: Symantec

Aliases :

There are no other names known for Backdoor.Ghopapox.

Explanation :

When the Trojan is executed, it creates the following files:
%Temp%\Microsoft.Win32.TaskScheduler.dll %Temp%\runonce.exe %Temp%\end.bat %Temp%\start.bat %Temp%\SetTaskPathEx.exe %UserProfile%\Application Data\AdobeFlash\Update\AutoUpdate.dat %UserProfile%\Application Data\AdobeFlash\Update\updat_.exe%UserProfile%\Application Data\AdobeFlash\Update\updat_.exe_%Windir%\Tasks\AdobeFlash Update Checker.job
The Trojan opens a back door, and connects to one of the following locations:
telli.chickenkiller.comgoodshop.minidns.net
The Trojan may steal the following information from the compromised computer:
HostnameOperating system versionPresence of a multimedia capture device
The Trojan may perform the following actions:
Create a remote shellObtain the process listDownload and execute files
Execute Internet Explorer with a provided argumentCreate an eventLog off, shut down, or restart the computerClear Windows logsList filesDelete files and directoriesCreate files and directoriesMove filesSearch filesRead filesWrite to a file
The Trojan may perform the following actions for the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry key:
Create a registry sub keySet a registry valueDelete a sub keyDelete a registry value

Last update 16 April 2015

 

TOP