is a trojan that allows an attacker to access your computer. It connects to remote hosts and may download and install additional malware onto your computer.
When executed, Atadommoc.C drops the file "common.data" to the following location:
%ALL USERS%\Application Data\common.data
This is an encrypted data file that Atadommoc uses for its payload. It then creates the following registry entry so that it executes every time your computer starts:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "AutoStart"
With data: "<Malware Path>"
Note: <Malware Path> is a variable location. This is the location of the Atadommoc.C executable and will vary according to where the trojan has been installed.
Atadommoc then checks for an active Internet connection by querying the SMTP servers a.mx.mail.yahoo.com or smtp.mail.ru using port 25.
Allows backdoor access and control
Atadommoc allows an attacker to access and control your computer. In order to do this it establishes a connection with a specified IP Address using port 8080. In-the-wild, we have observed Atadommoc connecting to the following IP addresses for this purpose:
Atadommoc contains anti-virtualization mechanisms to make analyzing its behavior more difficult. It will not perform its payload if the following conditions are met:
- If the value of the this registry entry HARDWARE\DESCRIPTION\System\VideoBiosVersion contains the string "virtualbox".
- If the name of the physical disk drive contains any of the following strings:
- If the following DLLs are loaded into any process:
- If the process "wireshark.exe" is running on the system.
This malware can also download and install a .SYS file into the computer from the above mentioned remote servers. It may save the .SYS file into the %System%\drivers folder and may install it as a service.
Analysis by Ric Robielos
The following system changes may indicate the presence of this malware: