Home / malwarePDF  

Backdoor.Zdoogu.F


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Backdoor.Zdoogu.F is also known as Backdoor.Win32.Zdoogu.bx, BDS/Zdoogu.BX.

Explanation :

The Backdoor copies itself to %windir%system32digiwet.dll with the extension and executable type changed to DLL and registers the copy to start with windows using the registry key:
HKLMSYSTEMCurrentControlSetControlSecurityProvidersSecurityProviders
After this it launches svchost.exe, and overwrites the image of svchost.exe in memory with its payload which does the following:
It creates a file named wiaservim.log in %windir% probably to record its activity. It connects to 78.109.29.112, from there it downloads and executes a couple of files, after this it reports back to the same IP.
The downloaded executables belong to the Backdoor.IRCBot family. With their help the compromised computer can be controlled remotely using IRC (Internet Relay Chat).

Last update 21 November 2011

 

TOP