| Malware name | Trojan.Backdoor.McMaggot.A | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | F596B22087D6404D538825413E266131 | | Static file | yes | | Filesize | 157,184 Bytes | Alias names
(also known as) | | Sophos | W32/Autorun-RI | | McAfee | W32/Xirtem@MM | | CA ETrust | Win32/Sdbot.LN |
| | Side effects | - Drops a file
- Records keystrokes
- Registry modification
- Steals information
- Third party control
| | Propagation | No own spreading routine |
|
Description:
Files
The following file is created:
– %WINDIR%\drm.ocx
Registry
– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• QnX"="c:\
%malware execution directory%\qnx.exe
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Run
• "QnX"="c:\
%malware execution directory%\qnx.exe"
The following registry keys are added in order to load the service after reboot:
– HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{77520Q86-864L-N81R-0R2W-7U2G0P22436U}
• "StubPath"="\"c:\
%malware execution directory%\qnx.exe\""
Backdoor
Contact server: The following:
• web1.**********.org
As a result it may send information and remote control could be provided.
Sends information about: • Information about running processes
• Start keylog
Stealing
It tries to steal the following information:
– Passwords typed into 'password input fields'
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
