Home / malware Backdoor.Dino
First posted on 17 March 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Dino.
Explanation :
Once executed, the Trojan creates the following files:
%ProgramFiles%\Common Files\wusvcd\wusvcd.exe%System%\WBEM\Logs\wbemprox.log
The Trojan creates the following registry entries:
HKEY_USERS\.default\Software\Microsoft\Wusvcd\"g" = "[HEXADECIMAL VALUE]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wusvcd\Security\"Security" = "[HEXADECIMAL VALUE]"
The Trojan then creates a service with the following properties:
Display name: Windows Update ServiceStartup type: AutomaticImage path: %ProgramFiles%\Common Files\wusvcd\wusvcd.exeDescription: Windows Update Service
It then creates the following registry subkey to register itself as a service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wusvcd
Next, the Trojan may connect to the following remote locations:
www.ilovevintage.com/downloader/.log/d/p.php 31.131.1.80/~vectoriu/filescom/inc.php
It uses the following user agent:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Inject malicious code into svchost in order to hide itselfRead configuration data from the browser preference fileCollect proxy information from browsersExecute commandsDownload, upload, and execute filesEnd processesCollect system informationLast update 17 March 2015