MSIL/Arcdoor [Threat Name] go to Threat

MSIL/Arcdoor.AH [Threat Variant Name]

Category trojan,worm
Size 40960 B
Aliases Trojan.Win32.Jorik.Arcdoor.jt (Kaspersky)
  Backdoor:MSIL/Pontoeb.B (Microsoft)
  W32.SillyFDC (Symantec)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed the trojan copies itself in the following locations:

  • %appdata%\­audiohd.exe
  • %system%\­WUDHosts.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Audio Driver" = "%appdata%\­audiohd.exe"
    • "Windows-Network Component" = "%system%\­WUDHosts.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Audio Driver" = "%appdata%\­audiohd.exe"
    • "Windows-Network Component" = "%system%\­WUDHosts.exe"

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2

The trojan executes the following command:

  • cmd.exe /C netsh firewall add allowedprogram %malwarefilepath% http-bot ENABLE

The performed command creates an exception in the Windows Firewall.

Information stealing

The trojan collects the following information:

  • operating system version
  • computer name
  • user name

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan serves as a backdoor. It can be controlled remotely.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains an URL address. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • open a specific URL address

Please enable Javascript to ensure correct displaying of this content and refresh this page.