Home / malware Backdoor.Komprogo
First posted on 09 December 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Komprogo.
Explanation :
When the Trojan is executed, it creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Narrator\NoRoam\"ComponentName" = "C2F8037AA0BD29CD472402BC63079F558F647C9B"
The Trojan then creates the following registry subkeys:
HKEY_CLASSES_ROOT\CLSID\{53255E7F-D464-40FB-857D-A2F9F0E1E397}\InProcServer32HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
Next, the Trojan attempts to disable the following software on the compromised computer:
NISUMEngx86.dll Norton Internet SecuritySepMasterService
The Trojan then connects to one or more of the following remote locations:
check.paidprefund.orgsyn.timeizu.netblog.docksugs.orgnews.lightpress.info193.169.245.197mobile.pagmobiles.info
The Trojan may then perform the following actions:
Move, read, execute, download, create, delete, and copy filesEnumerate running processesEnd processesSet, query, and delete registry valuesCollect user namesCollect the computer nameExecute arbitrary commandsLast update 09 December 2015
