Follow:

You have been re-routed to the Backdoor:Win32/Atadommoc.C write up because Backdoor%3aWin32%2fAtadommoc.C has been renamed to Backdoor:Win32/Atadommoc.C
 

Backdoor:Win32/Atadommoc.C


Backdoor:Win32/Atadommoc.C is a trojan that connects to remote hosts and may download and install additional malware onto your computer.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Backdoor:Win32/Atadommoc.C is a trojan that allows an attacker to access your computer. It connects to remote hosts and may download and install additional malware onto your computer.

Installation

When executed, Atadommoc.C drops the file "common.data" to the following location:

%ALL USERS%\Application Data\common.data

This is an encrypted data file that Atadommoc uses for its payload. It then creates the following registry entry so that it executes every time your computer starts:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "AutoStart"
With data: "<Malware Path>"  

Note: <Malware Path> is a variable location. This is the location of the Atadommoc.C executable and will vary according to where the trojan has been installed.

Atadommoc then checks for an active Internet connection by querying the SMTP servers a.mx.mail.yahoo.com or smtp.mail.ru using port 25.  

Payload  

Allows backdoor access and control  

Atadommoc allows an attacker to access and control your computer. In order to do this it establishes a connection with a specified IP Address using port 8080. In-the-wild, we have observed Atadommoc connecting to the following IP addresses for this purpose:

  • 109.169.29.115
  • 202.190.179.11
  • 202.190.179.117
  • 204.12.216.50
  • 46.37.184.90
  • 50.7.243.58
  • 78.129.196.41
  • 78.159.121.164
  • 94.75.243.136  

Atadommoc contains anti-virtualization mechanisms to make analyzing its behavior more difficult. It will not perform its payload if the following conditions are met:

  • If the value of the this registry entry HARDWARE\DESCRIPTION\System\VideoBiosVersion contains the string "virtualbox".
  • If the name of the physical disk drive contains any of the following strings:  
    00000000000000000001
    array
    qemu
    qm00001
    sample
    vbox
    virtual
    virus
    vmware
    vx
    ware
  • If the following DLLs are loaded into any process:
    SbieDll.dll
    pstorec.dll
  • If the process "wireshark.exe" is running on the system.  

This malware can also download and install a .SYS file into the computer from the above mentioned remote servers. It may save the .SYS file into the %System%\drivers folder and may install it as a service.

Analysis by Ric Robielos


Symptoms

The following system changes may indicate the presence of this malware:

  • The presence of the following file:
    %ALL USERS%\Application Data\common.data
  • The presence of the following registry modifications:
    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "AutoStart"
    With data: "<Malware Path>" 

    Note: <Malware Path> is a variable location. This is the location of the Atadommoc.C executable and will vary according to where the trojan has been installed.


Prevention


Alert level: Severe
First detected by definition: 1.107.1353.0
Latest detected by definition: 1.193.1362.0 and higher
First detected on: Jul 08, 2011
This entry was first published on: Jul 08, 2011
This entry was updated on: May 02, 2012

This threat is also detected as:
No known aliases