Win32/ServStart [Threat Name] go to Threat
Win32/ServStart.AD [Threat Variant Name]
| Category | trojan,worm |
| Size | 17408 B |
| Aliases | DDoS:Win32/Nitol.B (Microsoft) |
| Win32:Rootkit-gen (Avast) | |
| DoS.CUN.trojan (AVG) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %system%\explorer.exe
The trojan registers itself as a system service using the following name:
- Distributgd Transaction CoordinaDistribukdb Transaction Coordinator Service.
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\Distributgd Transaction CoordinaDistribukdb Transaction Coordinator Service.]
- "Type" = 16
- "Start" = 2
- "ImagePath" = "%system%\explorer.exe"
- "DisplayName" = "Distribukdb Transaction Coordinator Service."
- "ObjectName" = "LocalSystem"
- "Description" = "Distribuocs"
This causes the trojan to be executed on every system start.
After the installation is complete, the trojan deletes the original executable file.
Information stealing
The trojan collects the following information:
- CPU information
- memory status
- operating system version
- computer name
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The HTTP, TCP protocol is used.
It can execute the following operations:
- update itself to a newer version
- download files from a remote computer and/or the Internet
- run executable files
- open a specific URL address
- perform DoS/DDoS attacks