Win32/Amitis.143 [Threat Name]
| Detection created | 2004-03-19 |
Short description
Win32/Amitis.143.B serves as a backdoor. It can be controlled remotely. The file is run-time compressed using UPX .
Installation
The trojan may create copies of itself using the following filenames:
- %windir%\kernel32.dlI
The file name may vary depending on the current settings stored in the malware executable.
The trojan can modify the following files:
- win.ini
- system.ini
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "Kernel32" = "%windir%\kernel32.dlI"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
- "Kernel32" = "%windir%\kernel32.dlI"
This causes the trojan to be executed on every system start.
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft]
- "showed" = "yes"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableTaskMgr" = "1"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\%variable%]
- "%variable%" = "%variable%"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\%variable%\Shell\Open]
- "command" = "%1"
A string with variable content is used instead of %variable% .
Information stealing
The following information is collected:
- information about the operating system and system settings
- computer name
- user name
- computer IP address
- current screen resolution
- number of milliseconds that have elapsed since the system was started
- Internet Explorer version
- Registry entries
- the path to specific folders
- list of running processes
- data from the clipboard
- screenshots
- the list of installed software
- list of disk devices and their type
- list of files/folders on a specific drive
- file(s) content
- login user names for certain applications/services
- login passwords for certain applications/services
- type of Internet connection
- webcam video/voice
- logged keystrokes
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The malware configuration is passed as command line parameters or read from the file when the malware executable is launched.
The TCP, FTP, HTTP, SMTP protocol is used in the communication.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
- create Registry entries
- delete Registry entries
- log keystrokes
- show fake alerts
- manipulate application windows
- swap mouse buttons
- set clipboard data
- send IM messages
- send mail
- create folders
- delete folders
- delete files
- rename files
- move files
- set file attributes
- send requested files
- terminate running processes
- open the CD/DVD drive
- play sound/video
- log off the current user
- make operating system unbootable
- turn the display off
- shut down/restart the computer
- uninstall itself
The trojan affects the behavior of the following applications:
- Winamp
- Notepad
- Wordpad
- Mediaplayer
- Aol Messenger
- MSN Messenger
- Yahoo Messenger