Win32/Medbot [Threat Name] go to Threat
Win32/Medbot.CD [Threat Variant Name]
Category | trojan |
Aliases | Trojan-Proxy.Win32.Horst.pg (Kaspersky) |
BackDoor-CMQ.gen (McAfee) | |
Trojan.Horst (Symantec) |
Short description
Win32/Medbot.CD is an IRC controlled backdoor .
Installation
When executed, the backdoor copies itself into the %system% folder using the following name:
- smss.exe
The file is executed as a thread in the folowing process:
- %system%\svchost.exe
In order to be executed on every system start, the backdoor sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- ".nvsvc" = "%system%\smss.exe /w"
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
- "Start" = "4"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%system%\smss.exe" = "%system%\smss.exe:*:Enabled:Microsoft Update"
This disables the Automatic Updates service. By adding an exception in Windows Firewall settings, the backdoor ensures that it is not blocked.
Other information
The backdoor connects to the IRC network.
It can be controlled remotely.
The backdoor can download a file from the Internet.
The file is then executed.
The backdoor disables various security related applications.