Backdoor.A_94 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.
Process Related Changes
It creates the following mutex(es):
- SHIMLIB_LOG_MUTEX"
- ZonesLockedCacheCounterMutex"
- CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- ZoneAttributeCacheCounterMutex"
- ZonesCacheCounterMutex"
- ZonesCounterMutex"
- CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
It creates the following process(es): - C:\WINDOWS\system32\cmd.exe
- C:\WINDOWS\Temp\ea7221ee30f9c7d6b7de4fc221a9dafd.exe [ \c:\windows\temp\ea7221ee30f9c7d6b7de4fc221a9dafd.exe ]
Registry Related Changes
It makes the following registry modifications to ensure infection after system reboot: - HKLM\system\CurrentControlSet\Services\.netclr\= Microsoft.NETCOMIntegrationwithSOAP
- HKU\s-1-5-21-1078081533-842925246-854245398-1003classes\exefile\shell\open\command\= Microsoft.NETCOMIntegrationwithSOAP
- HKLM\software\microsoft\windowsnt\currentversion\drivers32\= Microsoft.NETCOMIntegrationwithSOAP
- HKCR\exefile\shell\open\command\= Microsoft.NETCOMIntegrationwithSOAP
|
