sobota 25. února 2012

Backdoor:Win32/Turkojan.A


Encyclopedia entry
Updated: Apr 17, 2011  |  Published: Aug 28, 2008

Aliases
  • Troj/Agent-GMF (Sophos)
  • Backdoor.Win32.Turkojan.il (Kaspersky)
  • BackDoor-CZP (McAfee)
  • Infostealer.Gampass (Symantec)
  • Trojan Horse (Symantec)
  • TROJ_DELF.EFH (Trend Micro)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.385.0
Released: Feb 25, 2012
Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008


 

Summary

Backdoor:Win32/Turkojan.A is a backdoor trojan that connects to a remote server, allowing an attacker to gain control of the entire system.


 

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    mstwain32.exe
  • The presence of the following registry modifications:
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "mstwain32" = "%windir%\mstwain32.exe"


 

Technical Information (Analysis)

Backdoor:Win32/Turkojan.A is a backdoor trojan that connects to a remote server, allowing an attacker to gain control of the entire system.
Installation
Backdoor:Win32/Turkojan.A copies itself in the Windows folder as mstwain32.exe.
 
It modifies the system registry so that its copy runs every time Windows starts:
 
Adds value: "mstwain32"
With data: "%windir%\mstwain32.exe"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Payload
Drops Other Malware
Backdoor:Win32/Turkojan.A drops the following files:
 
 
Backdoor Capabilities
Backdoor:Win32/Turkojan.A attempts to connect to a remote server to allow an attacker to gain control over an infected system.
 
Once connected to the remote server, an attacker can perform actions, including:
 
  • Obtain passwords
  • Sniff MSN account details
  • Open shell
  • Get information about the computer
  • Get clipboard data
  • Get process and service information
  • Log keystrokes
  • Download and execute arbitrary files
 
Analysis by Matt McCormack

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.