Home / malware Backdoor:MSIL/Ofnipon.A
First posted on 17 July 2010.
Source: SecurityHomeAliases :
Backdoor:MSIL/Ofnipon.A is also known as Backdoor.MSIL.Bot.A (BitDefender), BDS/MSIL.Bot.A.1 (Avira), Backdoor.MSIL (Ikarus).
Explanation :
Backdoor:MSIL/Ofnipon.A is a backdoor trojan that terminates certain security processes. It also allows a remote attacker to gain access and control of the infected computer. Backdoor:MSIL/Ofnipon.A is capable of checking if it is running in a virtual environment or under certain conditions, in these cases it can terminate itself to avoid analysis and detection.
Top
Backdoor:MSIL/Ofnipon.A is a backdoor trojan that terminates certain security processes. It also allows a remote attacker to gain access and control of the infected computer. Installation Backdoor:MSIL/Ofnipon.A drops itself in the computer as the following file:%AppData%\update\svchost.exe It also creates the following registry entries to ensure that it automatically runs every time Windows starts: Adds value: "svchost" With data: "%AppData%\update\svchost.exe" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adds value: "svchost" With data: "%AppData%\update\svchost.exe" In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Adds value: "Userinit" With data: "<system folder>\userinit.exe,%AppData%\update \svchost.exe," In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It creates the following mutex:qxq9rm2qdpc9lss98ccaci9elgxqxq Backdoor:MSIL/Ofnipon.A terminates itself if it is running under any of the following processes:Sandboxie VirtualPC VmWare It also terminates if the currently running user name is one of the following:currentuser honey sandbox User UserName It also terminates if the computer name is one of the following:COMPUTERNAME DELL-D3E62F7E26 DWI-9625AC2E275 MICHAEL-F156CF7 Payload Terminates security processes Backdoor:MSIL/Ofnipon.A terminates the following processes, which are related to security programs: a2servic.exe acs.exe antigen.exe ashwebsv.exe avgemc.exe bullguard.exe ccapp.exe clamauto.exe cpf.exe earthagent.exe ekrn.exe ewido.exe fpavserver.exe kavsvc.exe mcagentmcuimgr.exe msascui msmpeng nod32.exe nod32krn.exe pccntmon.exe spysweeper.exe tmlisten.exe vsmon.exe Allows backdoor access and control Backdoor:MSIL/Ofnipon.A attempts to connect to one of the following servers via port 3074: aidswow.no-ip.info dontdiebitch.no-ip.biz aidsplox123.no-ip.info Backdoor:MSIL/Ofnipon.A can receive any of the following commands from the server: UNINSTALL - removes itself from the infected computer KEY - sends product key information, operating version and service pack version FF - if Firefox is installed, sends saved login information STOP UDP - starts UDP flood of a given IP address/host HTTP - starts HTTP flood of given IP address/host BEEP - sends back to the control center "BEEP" to signal host is alive STOP_ALL - stops HTTP and UDP flooding UDPATE - updates malware on the infected computer from a given URL URL:NORMAL - opens a URL to the user URL:HIDDEN - opens a URL with a hidden window DESKTOP - sends a screenshot of the user's desktop STOPDESKTOP - stops sending the screenshots GETPROCESSES - sends a list of current running processes (with process IDs and file locations)
Analysis by Daniel RaduLast update 17 July 2010