BKDR_LIFTOH.DBT
Trojan:Win32/Alureon.GC (Microsoft), Downloader.Liftoh (Symantec), W32/Slenfbot (McAfee), Trojan.Win32.Zbocheman.fb (v) (VIPRE), TR/Alureon.GC.10 (Antivir), W32/Trojan3.CAY (exact) (F-Prot), Trojan.Alureon (Ikarus), Win32/Gapz.E trojan (ESET)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following copies of itself into the affected system and executes them:
- %All Users Profile%\Application Data\{random letters}sacfsfdsf.exe
(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.)
It terminates the execution of the copy it initially executed and executes the copy it drops instead.
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random letters}sacfsfdsf = "%All Users Profile%\Application Data\{random letters}sacfsfdsf.exe"
Other System Modifications
This backdoor adds the following registry keys:
HKEY_CURRENT_USER\Software\{random letters}sacfsfdsf
It adds the following registry entries:
HKEY_CURRENT_USER\Software\{random letters}sacfsfdsf
CurrentPath111 = "%All Users Profile%\Application Data\{random letters}sacfsfdsf.exe"
Other Details
This backdoor connects to the following possibly malicious URL:
- http://{BLOCKED}t.ru/power/c1.php
- http://{BLOCKED}mcam.ru/power/c1.php