Win32/Mangzamel [Threat Name] go to Threat

Win32/Mangzamel.A [Threat Variant Name]

Category trojan
Size 155648 B
Aliases Backdoor:Win32/Mangzamel.A (Microsoft)
  HKTL_STELTHUN.A (TrendMicro)
Short description

The trojan serves as a backdoor. It can be controlled remotely. It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:

  • %system%\­drivers\­DmConfig.sys (15488 B)

The trojan does not create any copies of itself.


The trojan registers itself as a system service using the following name:

  • RPC Encrypt Configure Service

Installs the following system drivers:

  • %system%\­drivers\­DmConfig.sys

The trojan hooks the following Windows APIs:

  • NtDeviceIoControlFile
  • NtOpenProcess
  • NtQueryDirectoryFile
  • NtQuerySystemInformation
Other information

The trojan serves as a backdoor.


It can be controlled remotely.


It can execute the following operations:

  • open ports
  • connect to remote computers to a specific port
  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • send gathered information

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%malwarepath%" = "%malwarepath%:*:Enabled:RPC Encrypt Configure Service"

The performed data entry creates an exception in the Windows Firewall program.

Please enable Javascript to ensure correct displaying of this content and refresh this page.