Home / malware Backdoor:Win32/Vedratve.A
First posted on 26 May 2015.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Vedratve.A.
Explanation :
Threat behavior
Installation
The malware can be installed to a random directory using a random file name.
It checks for the system event name "FRWK_EVENT_SFCTLCOM_EXIT". If it finds the event name, it tries to search for the following processes and disable the services associated with them:
- TMBMSRV.exe
- coreServiceShell.exe
The malware also looks for a service with the name "MicrosoftEngineering". If the service exists, the malware deletes it and creates a new one that points to its own copy, for example:
- Service name: MicrosoftEngineering
- Display name: Microsoft Engineering Service
- Binary path name:
- Start type: SERVICE_AUTO_START
The malware creates a system driver component in\asm_drivers directory as keymmdrv.sys. This component is detected as Trojan:WinNT/Vedratve.A.
Payload
The threat can do the following on your PC:
- Disable and enable system services
- Stop or end processes
- Upload files to target servers (can be any server provided by the attacker)
- Establish a remote connection
- Create a remote shell
- Copy token privileges of system services
We have seen the malware try to connect to the following server to receive commands from a malicious hacker:
- tbe1.usdagroup.com
Additional information
When the malware first runs in the background and copies token privileges, it runs the clean program mspaint.exe. It likely does this to help hide itself from being noticed by a user on the PC.
Analysis by Zarestel Ferrer
Symptoms
The following can indicate that you have this threat on your PC:
- You have the file:
\asm_drivers\ keymmdrv.sys
- The Windows Paint app appears to open on its own
Last update 26 May 2015
