Home / malwarePDF  

Backdoor:Win32/Godo.A


First posted on 20 November 2012.
Source: Microsoft

Aliases :

Backdoor:Win32/Godo.A is also known as Backdoor.Makadocs (Symantec), Troj/GoDocs-A (Sophos), Trojan.Win32.Webprefix (Ikarus).

Explanation :



Backdoor:Win32/Godo.A is a backdoor trojan that allows unauthorized access and control of your computer. It may use the Google Docs server to contact a remote attacker.



Installation

Backdoor:Win32/Godo.A is an executable file that uses a Microsoft Word icon. This social engineering technique lures you into loading the trojan by making you think the file is a document.

When you open the file, instead of opening a document you will run the trojan.

The trojan installs a copy of itself as "scvhost.exe" in the <startup folder> to ensure its copy runs at each Windows start.

Note: <startup folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Startup folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Start Menu\Programs\Startup". For Windows Vista, 7, and 8, the default location is "C:\Users\<user name>\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup".



Payload

Contacts remote host

Backdoor:Win32/Godo.A contacts a remote server to upload information about your computer.

The trojan attempts to connect to the server by using the Google Docs server as a proxy to hide the trojan's network activity.

Backdoor:Win32/Godo.A may attempt to connect to one of the following servers:

  • 83.222.226.158
  • akamaihub.com
  • msupdatecdn.com
  • stocksengine.net


The trojan sends the following information to the remote server:

  • Your IP address
  • Your operating system's version
  • Your computer's hostname
  • Information about the trojan's installation and version on your computer
  • The type of user account on your computer (for example, whether your user account is a Domain Administrator or Local Administrator account)
  • The time as reported by your computer


Allows backdoor access and control

While connected to the remote server, Backdoor:Win32/Godo.A can also allow unauthorized and access and control of your computer. Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, it can:

  • Download and run arbitrary files, including updates to the trojan
  • Upload files
  • Run or terminate applications
  • Delete files
Additional information

Backdoor:Win32/Godo.A attempts to connect to the Google Docs server using an SSL-encrypted connection.



Analysis by Marianne Mallen

Last update 20 November 2012

 

TOP

Malware :

Family: