Malware Backdoor.Win32.Bredavi.byc – A malicious program that provides the user remote access to an infected machine.
Technical details
A malicious program that provides the user remote access to an infected machine. The program itself is a Windows (PE DLL-file). Has a size of 26,113 bytes. Written in C + +.
Installation
The Trojan copies its body to the Windows system directory under the name “xxtr.lro”:
% System% \ xxtr.lro
To start automatically when you start the system, the Trojan adds an entry in the system registry:
[HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon] “Shell” = “Explorer.exe rundll32.exe xxtr.lro olxanj”
Destructive activity
If the user’s computer was installed application “Microsoft Office”, the Trojan installs a low level of security, by writing the following values in the registry key:
[HKCU \ Software \ Microsoft \ Office \ 11.0 \ Word \ Security] “Level” = “1” “AccessVBOM” = “1”
And run macros through which runs the original body of the Trojan.
To control the process in a unique system, the Trojan creates a unique identifier with the name:
3902263633e897d151
The Trojan then creates a process named “svchost.exe” and injects its own address space of malicious code:
svchost.exe
Trojan sends a request to the following address:
http:// **** hostforyou.cn / onlyhotnews / bb.php
In response receives a configuration file to further their work. Links to download other malicious files obtained from the configuration file, the Trojan stores in the following registry key:
[HKCR \ idid]
Removal
If your computer was not protected by Antivirus and is infected with this malware, then to delete the following:
Delete the original Trojan file (the location of the victim will depend on how the program originally penetrated the victim machine).
Delete files:
% System% \ xxtr.lro
Clear the directory Temporary Internet Files, which may contain infected files:
% Temporary Internet Files%
Delete the registry key:
[HKCR \ idid]
If necessary, reset options “Level” and “AccessVBOM” in the registry key:
[HKCU \ Software \ Microsoft \ Office \ 11.0 \ Word \ Security] “Level” “AccessVBOM”
Restore the value of a registry key to the following:
[HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon] “Shell” = “Explorer.exe”