Backdoor:Win32/Gaertob.A is a trojan that allows unauthorized access and control of an affected computer. It may be ordered by a remote attacker to spread via peer-to-peer file sharing. It may also change the affected user's browser Start page.
Installation
When executed, Backdoor:Win32/Gaertob.A copies itself to %windir%\rundll.exe and modifies the registry to execute this copy at each Windows start:
Adds value: "Windows Firevall Control C"
With data: "rundll.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Backdoor:Win32/Gaertob.A checks if it is loaded from one of the following processes, and if it is, it exits:
sandbox
honey
vmware
currentuser
Backdoor:Win32/Gaertob.A may create the mutex "nmmxm" in order to ensure that multiple copies of the trojan do not run simultaneously.
Backdoor:Win32/Gaertob.A also creates a batch file that it uses to delete its original executable. The filename of this batch file uses the following format:
-
rmme<4 random numbers>.bat
Spreads via…
Peer-to-Peer file sharing
When ordered by a remote attacker, Backdoor:Win32/Gaertob.A checks for the following folders under the Program Files directory:
icq\shared folder\
grokster\my grokster\
bearshare\shared\
edonkey2000\incoming\
emule\incoming\
morpheus\my shared folder\
limewire\shared\
tesla\files\
winmx\shared\
If the above mentioned folders are present it may drop a copy of itself to these folders using one of the following file names:
HotmailHacker.exe
YahooCracker.exe
MSNHacks.exe
paris-hilton.scr
VistaUltimate-Crack.exe
image.scr
Porno.MPEG.exe
LimeWireCrack.exe
RapidsharePREMIUM.exe
WildHorneyTeens.scr
Ebooks.exe
How-to-make-money.exe
ScreenMelter.exe
DDOSPING.exe
Wireshark.exe
Autoloader.exe
FREEPORN.exe
f**ksh*tc**t.scr
ilovetof**k.scr
*Note: These filenames may have been modified due to their possibly offensive content.
Payload
Allows backdoor access and control
Backdoor:Win32/Gaertob.A allows unauthorized access and control of the affected computer. It joins a specified IRC channel and awaits commands from a remote attacker. Using this backdoor an attacker can perform the following actions:
- Download and execute arbitrary files
-
Update the trojan
-
Terminate processes
-
Propagate via MSN Messenger by sending a copy of itself with filename _0014.jpeg-www.imageshack.exe
-
Propagate via p2p file sharing (see Spreads via… section above for additional detail)
Modifies system security settings
Backdoor:Win32/Gaertob.A modifies the following registry entry in order to add itself to the Windows firewall authorized applications list:
Modifies value: "List"
With data: "<Malware File>:*:enabled:windows firevall control c"
To subkey:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
Modifies hosts file
Backdoor:Win32/Gaertob.A modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a Web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing Web sites associated with particular security-related applications (such as antivirus for example).
Backdoor:Win32/Gaertob.A modifies the hosts file to redirect the following hosts to localhost (127.0.0.1):
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky-labs.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
scanner.novirusthanks.org
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
threatexpert.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
virscan.org
viruslist.com
viruslist.com
virusscan.jotti.org
virustotal.com
www.avp.com
www.ca.com
www.f-secure.com
www.grisoft.com
www.grisoft.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.scanner.novirusthanks.org
www.sophos.com
www.symantec.com
www.trendmicro.com
www.virscan.org
www.viruslist.com
www.virusscan.jotti.org
www.virustotal.com
Modifies browser settings
Backdoor:Win32/Gaertob.A may change the affected user's home page to:
www.gllod.com
Analysis by Francis Allan Tan Seng
