Home / malware Backdoor.Miras
First posted on 22 August 2014.
Source: SymantecAliases :
There are no other names known for Backdoor.Miras.
Explanation :
When the Trojan is executed, it creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\raswmi\Parameters\"ServiceDll"=C:\WINDOWS\System32\wbem\raswmi.dllHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\raswmi\"Type"= 0x00000010HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\raswmi\"Start"= 0x00000002HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\raswmi\"ErrorControl"=0x00000001HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\raswmi\"DisplayName"= "WMI service provider"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\raswmi\"Description"="WMI service client"
The Trojan creates the following file:
%System%\wbem\raswmi.dll
The Trojan calculates DiskFreeSpaceA and stores it in the following location:
[RANDOM NUMBER]lu.tmp
The Trojan opens a back door on the compromised computer and connects to the following location:
microsoften.com
The Trojan steals the following information and sends it to the command-and-control server:
Default computer languageOperating system versionComputer nameUser name
The Trojan may perform the following actions:
Terminate processesExecute filesLast update 22 August 2014
