SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  BackDoor.FBHS
BackDoor.FBHS is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.

File Related Changes
It drops the following file(s) on the system:
  • "C:\Documents and Settings\Admin\Local Settings\Application DataURGhJYeTbp.exe"
  • "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe"

Process Related Changes
It creates the following mutex(es):
  • .net clr networking"
  • 5cd8f17f4086744065eb0992a09e05a2"
  • ZonesLockedCacheCounterMutex"
  • CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • ZoneAttributeCacheCounterMutex"
  • ZonesCacheCounterMutex"
  • ZonesCounterMutex"
  • CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • SHIMLIB_LOG_MUTEX"
  • CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • MSCTF.Shared.MUTEX.IKH"
  • CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"

It creates the following process(es):
  • C:\Documents and Settings\Admin\Local Settings\Application DataURGhJYeTbp.exe
  • C:\WINDOWS\system32\netsh.exe [ netsh firewall add allowedprogram C:\Documents and Settings\Admin\Local Settings\Temp\Trojan.exe \Trojan.exe ENABLE ]
  • C:\WINDOWS\system32\rundll32.exe [ \rundll32.exe C:\WINDOWS\system32\shimgvw.dllImageView_Fullscreen C:\Documents and Settings\Admin\Local Settings\Application DatagMGyghbfQN.jpg ]
  • C:\WINDOWS\Temp\7d89955a84a32720bb73038189c3e5a0.exe [ \c:\windows\temp\7d89955a84a32720bb73038189c3e5a0.exe ]
  • C:\DOCUME1\Admin\LOCALS1\Temp\Trojan.exe

Network Activity
We observed the following DNS query/queries:
  • bodu20.ddns.net

It attempts to connect to the following remote servers:
  • 41.232.xxxxxx:1178

Registry Related Changes
It makes the following registry modifications to ensure infection after system reboot:
  • W2DvzkiAcKEwpCslrCvcOGRcKpVkPCpcOjw755w5nCiMOLKsOAMMKRwrJwcHDrsOXwqfCqSnCkVHDmRbDr8OJwozDgRM4wrvCoGhJwqnCvcK2w53CrMOSwqPDlHjDsnDDki5Bw5vDj8Ovwp0twrJUCcOnwooQw7wKF8KIdcOwSSbDh8OBOMO5w7rDlsKFwr3DmMOnwqYdwppKw6ZDSB3CoDvCl1TCtMOOU8Kcw5bCmcK8w7B9f8KICHoZwpbDtcKiKcKnw7V7IkFtdcKxI8OTP1dQDsKOcg1qwqZdw6vDqGomwpTCkcOQw43CrVN7dsKTwqLDmcKRwozDpickdcOpwrAmL3l5BwwsTkQpwrvDtMKTwrgbw5jDpMOgVibDq8Ocw5p7w6zCmXvDnsOANsObdhc3RMO2GxjDicOAwoAENk3Dl8KtRcOZcA1DQxDgsOESVXDvsKMbcKQTcKODU1Fw51cdCTCvcOLF8KVwqXDp8KlwozCoz9TwqJtwrLDs8KXVlVyw7rCoR3Ci1swMnYpwpLDkMOoZUtQdyzCiRzDncKkw4haTRrDrsOfw5sZwrXDrsKIw6p6woPCn0DCu2VycHzCjBFvazwiYnxrw404wpRVw5nDgz5BQVLCmw9KwqNIw77Dq8OIwrA3cCPCqW0oO0jDnsKuwrHCvXnCnUkgT1YkwqnDnAF6IxDlW1BbiZsUVrCsUXDusKpwo4nLcKdemDCksKQwpUicQHCgsO4wqfDhh7DkzXDtsOwonCl8K6w7rDmcK3Ql9jw4dXT3fDgSDtgxhwqHDqMKTworCs8O7QMOrLsOEwos7w50PBMKqBMKPcsKjwqHCqVAwMloZwrELN3jDjxJxwpQObMOw6TCv8K5w63CiX3DlCfDqUhLw4zCvMKfwoNpw4DDuMKXYlhYw6HCjsOgw7ZMwrspa3vDtj0FwqrCs8OpwrMfw5NcCnDDkWYe8OZS8KowrHCm3YJwqfCjMOdKg3CkjEYw75w4xUwoCt8O0w5BDcOYw4QFTcOnDyjCoXtyb8KAwrrDn38zXh7DlcKwqXCjcKiRAzDsgURwqDhMOkeynCo8ODwrIEWcKkw40CaxfCvsKofcODw6zDlVtZw5bDusOAZ0siw4FBw7UKFsOywrbCjsO0VxYcw40vBHoIwrw6dcOjwpzCji4YPFNrDsKAaDx4wo9CF8Kvw4LDq3hgL8KzJsKsw5AHLFRbw7IELMOWPiXCs8OGw7LDmcKfS8KAc8Ouw5rCpD3DrMOtw4tFw5DDghTCs8OoaMKBRzUmFsKywo5kD8KhUR1kw6jDkBLDmBXCr0A3w5Isw4lAZsKPwq0zasOBwoo8S0TCq8KkeQ= _Special_Characters_
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\= C:\DocumentsandSettings\Admin\LocalSettings\Temp\Trojan.exe..
  • HKU\s-1-5-21-1078081533-842925246-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Run\= C:\DocumentsandSettings\Admin\LocalSettings\Temp\Trojan.exe..


Relevant Information