BKDR_REMOSH.BD
Backdoor:Win32/Remosh.gen!A (Microsoft), Trojan.Gen (Symantec), Gen:Trojan.Heur.FU.bqW@a8UY8zdi (FSecure), TR/Dropper.Gen (Antivir), Gen:Trojan.Heur.FU.bqW@a8UY8zdi (Bitdefender), PUA.Win32.Packer.SetupExeSection (Clamav), Win32/Agent.PGE trojan (NOD32), Suspicious file (Panda), TrojanDropper.Agent.fsix (VBA32)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor may be dropped by other malware. It may be manually installed by a user.
It uses common file icons to trick a user into thinking that the files are legitimate.
It deletes itself after execution.
TECHNICAL DETAILS
Arrival Details
This backdoor may be dropped by the following malware:
- SWF_DROPPER.BD
It may be manually installed by a user.
Installation
This backdoor drops the following component file(s):
- %System%\recycler32.dll
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Its DLL component is injected to the following process(es):
- svchost.exe
It uses common file icons to trick a user into thinking that the files are legitimate.
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\6to4
ImagePath = %systemroot%\system32\svchost.exe -k netsvcs
Other System Modifications
This backdoor adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\6to4\Parameters
ServiceDll = %System%\recycler32.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\6to4\Security
Security = {random value}
Other Details
This backdoor deletes itself after execution.