HORSMY
Fucobha, Hormesu
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
HORSMY variants are backdoors that are capable of receiving commands from a malicious user. Also, this malware family has the capability to gather system information such as the following:
- Hostname
- IP Address
- List of running processes
- Operating system and version
- Language Version
- Location of Windows system folder
It saves the information it gathers in a .DAT file. It then waits for next commands from a remote computer.
TECHNICAL DETAILS
Installation
This backdoor drops the following files:
- %Windows%\wdmaud.drv
- %System%\tmp.dat – contains gathered information and is deleted afterwards
(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %System% is the Windows system folder, which is usually C:\Windows\System32.)
It injects threads into the following normal process(es):
- Explorer.exe
Other Details
This backdoor connects to the following possibly malicious URL:
- http://www.{BLOCKED}bit.com/tt/upload.aspx?filepath=info&filename=000C29B984B4_{IP Address}.jpg
- http://www.{BLOCKED}bit.com/tt/order/000C29B984B4_{IP Address}.jpg