A forum for reverse engineering, OS internals and malware analysis 

Backdoor:Win32/Phdet

Forum for analysis and discussion about malware.

Backdoor:Win32/Phdet

 #13505  by rkhunter
 Tue May 29, 2012 12:27 pm
Some backdoor with injection in processes without rootkit (just was captured).
Backdoor:Win32/Phdet.gen!A
MD5: 79642aa8ae971b5e655cc5e4b989c133
https://www.virustotal.com/file/b81f4f2 ... /analysis/
http://www.microsoft.com/security/porta ... hdet.gen!A
Attachments
pass:infected
(10.82 KiB) Downloaded 41 times

Re: Backdoor:Win32/Phdet

 #13520  by Buster_BSA
 Tue May 29, 2012 6:46 pm
[ Changes to filesystem ]
* Deletes file C:\M\TEST\79642AA8AE971B5E655CC5E4B989C133.EXE
* Creates file C:\windows\system32\mssrv32.exe
File length: 23040 bytes
File type: EXE
File entropy: 6.16391 (77.0489%)
Adobe Malware Classifier: Malicious
MD5 hash: 79642aa8ae971b5e655cc5e4b989c133
SHA1 hash: ee12fc5dfdf42658d713c11d095627e4f1b4670e
SHA256 hash: b81f4f21017f38ee51e25e23a4357dae649554e43bd55f9a4840262af7f51144

[ Changes to registry ]
* Creates value "DisableRawSecurity=01000000" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\AFD\Parameters
* Creates value "ImagePath=c:\windows\system32\mssrv32.exe" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\msupdate
* Creates value "DisplayName=Microsoft security update service" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\msupdate
* Creates value "Description=This service downloading and installing Windows security updates" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\msupdate
* Creates value "ObjectName=LocalSystem" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\msupdate
* Creates value "Start=02000000" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\msupdate
* Creates value "Type=10000000" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\msupdate
* Modifies value "SavedLegacySettings=3C000000C20700000100000000000000000000000000000004000000000000004029829C4F33CB0101000000C0A800040000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=3C000000C10700000100000000000000000000000000000004000000000000004029829C4F33CB0101000000C0A800040000000000000000"

[ Network services ]
* Looks for an Internet connection.
* Connects to "ixi.alwaysdata.net" on port 80.

[ Process/window/string information ]
* Enables process privileges.
* Gets user name information.
* Gets volume information.
* Gets computer name.
* Creates a mutex "{F3532CE1-0832-11B1-920A-25000A276A73}".
* Creates process "(null),C:\WINDOWS\system32\svchost.exe,(null)".
* Injects code into process "c:\windows\system32\svchost.exe".

Seems like it intalls itself as Windows Service and injects code in svchost.exe
 Return to “Malware”