Details:
Arrival Details
This backdoor is dropped by other malware.
It can also be downloaded unknowingly by a user when visiting malicious Web sites.
Installation
This backdoor drops the following copy of itself:
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Techniques
This backdoor creates the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
OfficeWord Monitors = "%System%\Offlce.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
OfficeWord Monitors = "%System%\Offlce.exe"
Other System Modifications
This backdoor modifies the following registry entry to disable the DCOM protocol:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableDCOM = "N"
It modifies the following registry entry as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = "1"
Other Details
This backdoor connects to the following URLs:
- http://{BLOCKED}l.radioks.net/ma.exe - inaccessible as of this writing
- http://www.{BLOCKED}ite.net/md.exe - copy of itself
Revision History: