Home / malwarePDF  

Backdoor:Win32/Spentrpa.A


First posted on 10 July 2009.
Source: SecurityHome

Aliases :

Backdoor:Win32/Spentrpa.A is also known as Also Known As:Trojan.Win32.Inject.afeh (Kaspersky), W32/Malware.HCVD (Norman), Win32/Agent.NZZ (ESET), Generic BackDoor!dj (McAfee).

Explanation :

Win32/Spentrpa.A is a backdoor trojan that listens on a specific port for incoming commands and allows unauthorized access and control of an affected system.

Symptoms
System changesThe following system changes may indicate the presence of this malware:

  • The presence of the following files: <system folder>spoolsr.exe<system folder>wsdtc.exe


  • Win32/Spentrpa.A is a backdoor trojan that listens on a specific port for incoming commands and allows unauthorized access and control of an affected system.

    Installation
    When executed Wi3n2/Spentrpa.A copies itself to the following locations:
  • <system folder>spoolsr.exe
  • <system folder>wsdtc.exe
  • It then sets spoolsr.exe to run as a service, and launches the copy <system folder>wsdtc.exe.
    The trojan then deletes the original executable.

    Payload
    Allows remote access and control: Port 3456Win32/Spentrpa.A allows unauthorized access and control of an affected computer. It listens on port 3456 for incoming connections from a remote attacker. Once a connection is established the malware requests a password. If the correct password is entered, the malware spawns a command shell for the remote attacker that allows them to control the affected computer.

    Analysis by Ray Roberts

    Last update 10 July 2009

     

    TOP