BKDR_POISON.PSN
W32/Rimecud.Y.gen!Eldorado (generic, not disinfectable) (Fprot), Found Luhe.Fiha.A (AVG)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
331,776 bytes
EXE
26 Apr 2013
Arrival Details
This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
NVIDIA MCCSServer = "{Malware Path and Filename}.exe"
Other System Modifications
This backdoor adds the following registry keys:
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\
FastMofa
Other Details
This backdoor connects to the following possibly malicious URL:
- {BLOCKED}.103.172