Win32/Botnachala [Threat Name] go to Threat

Win32/Botnachala.B [Threat Variant Name]

Category trojan
Size 34816 B
Detection created Feb 13, 2012
Detection database version 6879
Aliases Backdoor.Win32.Agent.it (Kaspersky)
  Backdoor:Win32/Agent.JQ (Microsoft)
  BackDoor.Agent.8.AB (AVG)
Short description

Win32/Botnachala.B serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %windir%\­csrss.exe
  • %temp%\­csrss.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Krnlcheck" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Krnlcheck" = "%malwarefilepath%"
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The trojan opens a random TCP port.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files

The trojan can modify the following files:

  • %windir%\­hosts
  • %system%\­drivers\­etc\­hosts

The trojan writes the following entries to the file:

  • 127.0.0.1 www.sophos.com
  • 127.0.0.1 ad.fastclick.net
  • 127.0.0.1 ad.doubleclick.net
  • 127.0.0.1 ads.fastclick.net
  • 127.0.0.1 ar.atwola.com
  • 127.0.0.1 atdmt.com
  • 127.0.0.1 avp.ch
  • 127.0.0.1 avp.com
  • 127.0.0.1 avp.ru
  • 127.0.0.1 awaps.net
  • 127.0.0.1 www.symantec.com
  • 127.0.0.1 banner.fastclick.net
  • 127.0.0.1 banners.fastclick.net
  • 127.0.0.1 ca.com
  • 127.0.0.1 click.atdmt.com
  • 127.0.0.1 clicks.atdmt.com
  • 127.0.0.1 customer.symantec.com
  • 127.0.0.1 dispatch.mcafee.com
  • 127.0.0.1 download.mcafee.com
  • 127.0.0.1 download.microsoft.com
  • 127.0.0.1 downloads-eu1.kaspersky-labs.com
  • 127.0.0.1 downloads-us1.kaspersky-labs.com
  • 127.0.0.1 downloads.microsoft.com
  • 127.0.0.1 downloads1.kaspersky-labs.com
  • 127.0.0.1 downloads2.kaspersky-labs.com
  • 127.0.0.1 downloads3.kaspersky-labs.com
  • 127.0.0.1 downloads4.kaspersky-labs.com
  • 127.0.0.1 ftp.sophos.com
  • 127.0.0.1 go.microsoft.com
  • 127.0.0.1 kaspersky-labs.com
  • 127.0.0.1 kaspersky.com
  • 127.0.0.1 liveupdate.symantec.com
  • 127.0.0.1 liveupdate.symantecliveupdate.com
  • 127.0.0.1 engine.awaps.net
  • 127.0.0.1 f-secure.com
  • 127.0.0.1 fastclick.net
  • 127.0.0.1 ftp.f-secure.com
  • 127.0.0.1 mast.mcafee.com
  • 127.0.0.1 mcafee.com
  • 127.0.0.1 media.fastclick.net
  • 127.0.0.1 msdn.microsoft.com
  • 127.0.0.1 my-etrust.com
  • 127.0.0.1 nai.com
  • 127.0.0.1 networkassociates.com
  • 127.0.0.1 office.microsoft.com
  • 127.0.0.1 phx.corporate-ir.net
  • 127.0.0.1 rads.mcafee.com
  • 127.0.0.1 viruslist.ru
  • 127.0.0.1 windowsupdate.microsoft.com
  • 127.0.0.1 www.avp.ch
  • 127.0.0.1 www.avp.com
  • 127.0.0.1 www.avp.ru
  • 127.0.0.1 www.awaps.net
  • 127.0.0.1 www.ca.com
  • 127.0.0.1 www.f-secure.com
  • 127.0.0.1 www.fastclick.net
  • 127.0.0.1 www.kaspersky.com
  • 127.0.0.1 www.kaspersky.ru
  • 127.0.0.1 www.viruslist.com
  • 127.0.0.1 www.mcafee.com
  • 127.0.0.1 www.my-etrust.com
  • 127.0.0.1 www.nai.com
  • 127.0.0.1 secure.nai.com
  • 127.0.0.1 securityresponse.symantec.com
  • 127.0.0.1 service1.symantec.com
  • 127.0.0.1 sophos.com
  • 127.0.0.1 spd.atdmt.com
  • 127.0.0.1 support.microsoft.com
  • 127.0.0.1 symantec.com
  • 127.0.0.1 trendmicro.com
  • 127.0.0.1 update.sy11
  • 127.0.0.1 update.symantec.com
  • 127.0.0.1 updates.symantec.com
  • 127.0.0.1 us.mcafee.com
  • 127.0.0.1 vil.nai.com
  • 127.0.0.1 viruslist.com
  • 127.0.0.1 www.networkassociates.com
  • 127.0.0.1 www3.ca.com

This way the trojan blocks access to specific websites.

Please enable Javascript to ensure correct displaying of this content and refresh this page.