Home / malwarePDF  

Trojan:Win32/Duberath.A


First posted on 24 September 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Duberath.A is also known as BackDoor.VB.JIP (AVG), BDS/VB.ldq.1 (Avira), Win32/Vulcanbot.J (CA), Win32/VBbot.V (ESET), Backdoor.Win32.VB.ldq (Kaspersky), W32/Vulcanbot (McAfee), Adware/AccessMembre (Panda), BKDR_VB.JTA (Trend Micro), Backdoor.VB.IHVM (VirusBuster).

Explanation :

Trojan:Win32/Duberath.A is a trojan that poses as a popular legitimate application such as a Adobe Update Manager. Once installed, it may connect to a remote server and download and install additional files onto the compromised computer, and accept commands from a remote attacker.
Top

Trojan:Win32/Duberath.A is a trojan that poses as a popular legitimate application such as a Adobe Update Manager. Once installed, it may connect to a remote server and download and install additional files onto the compromised computer, and accept commands from a remote attacker. Installation Trojan:Win32/Duberath.A creates a mutex and drops itself with a hidden attribute into the following path: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\adobeupdater.exe The trojan creates the following registry modifications to ensure it executes at each Windows start: In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSets value: "Adobe Update Manager"With data: "<Malware File>" In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSets value: "Adobe Update Manager"With data: "<Malware File>" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSets value: "Userinit"With data: "<system folder>\userinit.exe,<Malware File>" The trojan may download and install files to <system folder> with the following names:

  • msconfig32.sys
  • ntconf32.vxd
  • ntsys32.vxd
  • msimsg32.vxd
    • Note: The remote download sites were offline at the time of writing. Trojan:Win32/Duberath.A adds itself to the list of applications that are authorized to access the Internet without being stopped by the Firewall, by adding the following registry key: In subkey: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ListSets value: "<Malware File>"With data: "<Malware File>:*:Enabled:Adobe Update Manager" Payload Allows backdoor access and control This trojan opens a backdoor to the compromised computer by attempting to connect to the following remote servers using either TCP port 80 or 8585:
  • adobe.ath.cx:80
  • tyuqwer.dyndns.org:80
  • google.homeunix.com:80
  • google.homeunix.com:8585
  • ymail.ath.cx:8585
  • voanews.ath.cx:8585
  • danchimviet.dnsalias.org:8585
    • Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker might be able to perform the following actions:
  • Download and execute arbitrary files
  • Upload files
  • Take a screen captures


    • Analysis by Gilou Tenebro

    Last update 24 September 2010

     

    TOP

    Malware :

    Family: