Backdoor.Win32.Httpbot.abe

From Total Malware Info

Backdoor.Win32.Httpbot.abe — It is a malicious software, which provides criminal with remote access to infected computer. It is Windows (PE-EXE file) executable. It is 32 011 bytes. It is packed with MEW. Unpacked size is about 41 KB. It is written in C++.

Installations

After the start, the backdoor copies itself to the following location:

%System%\sadf.exe

The file is created with “hidden” attribute. To remove original file, the backdoor runs command shell with the following parameters:

/c del <full path to backdoor's original file> >> NUL

Then, the backdoor terminates its execution.

Payload

After the start the backdoor performs following actions:

• it creates the unique identifier:

MNUG65JOHA4DMNRON5ZGOORSGAYDS===

• it extracts a file from its body, later this file is saved as:

• %System%\drivers\PCIDump.sys (it is 4352 bytes; it is detected by Kaspersky Antivirus as Rootkit.Win32.Ressdt.pj)

• it creates and runs system service with “sadfsdfa” name. The extracted file is used as executable.
• it connects to the remote host:

chou.8866.org

• it sends to the remote host following information:

system registry key value

[HKLM\Hardware\Description\System\CentralProcessor\0]
"ProcessorNameString"

operating system version; physical and virtual memory consumption; default system locale;

• Then, the backdoor enters command wait state. A criminal can send command’s identifier, depending on the identifier the backdoor performs different actions:

• 0x100000, 0x2000000 – denial of services attack on specified hosts;
• 0x800000 – shutdown;
• 0x400000 – reboot;
• 0x4000000 – file download from specified URL. The file is stored in root of C: drive as

c:\2.exe

• 0x8000000 – process start;
• 0x1000000 – remove service "sadfsdfa" and file "%System%\drivers\PCIDump.sys".

Removal Instructions

It is needed to perform full scan by antivirus software with up-to-dated signature databases.