Backdoor:Win32/Momibot is a backdoor trojan that connects to remote servers to perform various actions on the infected computer.
Installation
When run, Backdoor:Win32/Momibot.gen!B copies itself to the Windows system folder using a random file name. It then runs its dropped copy.
It creates a random mutex to ensure that only one instance of itself is running.
It makes the following changes to the registry to ensure that its copy runs at each Windows start:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Win32Update"
With data: "<malware file name>"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Sets value: "Win32Update"
With data: "<malware file name>"
In subkey: HKLM\Software\Microsoft\OLE
Sets value: "Win32Update"
With data: "<malware file name>"
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Sets value: "Win32Update"
With data: "<malware file name>"
Payload
Modifies security settings
Backdoor:Win32/Momibot modifies the affected computer's security settings by making changes to the registry, for example, the malware:
- Attempts to disable Windows Firewall notifications from the Windows Security Centre:
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "FirewallDisableNotify"
With data: "1"
-
Attempts to prevent various security products from running:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<program name>
Sets value: "Debugger"
With data: "ntsd -d"
Where <program name> may be one or more of the following:
-
AVP32.EXE
-
ArcaCheck.exe
-
AvMonitor.exe
-
CCenter.exe
-
DRWEB32.EXE
-
FAMEH32.EXE
-
FPAVServer.exe
-
FPWin.exe
-
FSMA32.EXE
-
GFRing3.exe
-
HijackThis.exe
-
KASMain.exe
-
KASTask.exe
-
KAV32.exe
-
KAVDX.exe
-
KAVPF.exe
-
KAVPFW.exe
-
KAVStart.exe
-
KPFW32.exe
-
KPFW32X.exe
-
NAVNT.EXE
-
NAVSTUB.EXE
-
NAVW32.EXE
-
NAVWNT.EXE
-
Navapsvc.exe
-
Navapw32.exe
-
Nvcc.exe
-
OllyDBG.EXE
-
RegTool.exe
-
SfFnUp.exe
-
Vba32arkit.exe
-
Zanda.exe
-
Zlh.exe
-
a2service.exe
-
arcavir.exe
-
ashDisp.exe
-
ashEnhcd.exe
-
ashServ.exe
-
ashUpd.exe
-
aswUpdSv.exe
-
autoruns.exe
-
avadmin.exe
-
avcenter.exe
-
avcls.exe
-
avconfig.exe
-
avconsol.exe
-
avgnt.exe
-
avgrssvc.exe
-
avguard.exe
-
avp.com
-
avp.exe
-
avscan.exe
-
avz.exe
-
avz4.exe
-
avz_se.exe
-
bdagent.exe
-
bdinit.exe
-
caav.exe
-
caavguiscan.exe
-
casecuritycenter.exe
-
ccupdate.exe
-
cfp.exe
-
cfpupdat.exe
-
cmdagent.exe
-
drwadins.exe
-
drwebupw.exe
-
ekrn.exe
-
filemon.exe
-
fpscan.exe
-
fsav32.exe
-
fsgk32st.exe
-
guardgui.exe
-
guardxservice.exe
-
guardxup.exe
-
navigator.exe
-
niu.exe
-
nod32.exe
-
nod32krn.exe
-
outpost.exe
-
preupd.exe
-
procexp.exe
-
pskdr.exe
-
regedit.exe
-
regmon.exe
-
scan32.exe
-
vba32ldr.exe
-
vsserv.exe
-
zapro.exe
-
zonealarm.exe
-
zoneband.dll
Allows backdoor access and control
The trojan attempts to allow raw sockets on the affected computer by making the following registry modification:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters
Sets value: "DisableRawSecurity"
With data: "1"
It does this so that it can listen for remote connections on various ports.
Some variants may connect to an IRC server, or download instructions from a website.
The backdoor also utilizes the UPnP protocol in its attempt to successfully initiate remote connections.
Contacts remote hosts
Some variants of Backdoor:Win32/Momibot may contact a remote host in order to receive and relay instructions. We have observed the trojan contacting the following remote hosts:
-
hxxp://drocherweb.com
-
hxxp://sekasanehvataet.com
-
hxxp://5rublei.com
-
hxxp://ShopVideoSchools.cn
-
hxxp://ShopFilmWorld.cn
-
hxxp://MartPictureExistence.cn
-
hxxp://ShopPictureLife.cn
-
hxxp://ShopPigLiving.cn
-
hxxp://ShopVideoFest.cn
Analysis by Matt McCormack