Win32/Medbot [Threat Name] go to Threat

Win32/Medbot.CD [Threat Variant Name]

Category trojan
Aliases (Kaspersky)
  BackDoor-CMQ.gen (McAfee)
  Trojan.Horst (Symantec)
Short description

Win32/Medbot.CD is an IRC controlled backdoor .


When executed, the backdoor copies itself into the %system% folder using the following name:

  • smss.exe

The file is executed as a thread in the folowing process:

  • %system%\­svchost.exe

In order to be executed on every system start, the backdoor sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • ".nvsvc" = "%system%\­smss.exe /w"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wuauserv]
    • "Start" = "4"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%system%\­smss.exe" = "%system%\­smss.exe:*:Enabled:Microsoft Update"

This disables the Automatic Updates service. By adding an exception in Windows Firewall settings, the backdoor ensures that it is not blocked.

Other information

The backdoor connects to the IRC network.

It can be controlled remotely.

The backdoor can download a file from the Internet.

The file is then executed.

The backdoor disables various security related applications.

Please enable Javascript to ensure correct displaying of this content and refresh this page.