Backdoor:Win32/Gaertob.A is a trojan that allows unauthorized access and control of an affected computer. It may be ordered by a remote attacker to spread via peer-to-peer file sharing. It may also change the affected user's browser Start page.
When executed, Backdoor:Win32/Gaertob.A copies itself to %windir%\rundll.exe and modifies the registry to execute this copy at each Windows start:
Adds value: "Windows Firevall Control C"
With data: "rundll.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Backdoor:Win32/Gaertob.A checks if it is loaded from one of the following processes, and if it is, it exits:
Backdoor:Win32/Gaertob.A may create the mutex "nmmxm" in order to ensure that multiple copies of the trojan do not run simultaneously.
Backdoor:Win32/Gaertob.A also creates a batch file that it uses to delete its original executable. The filename of this batch file uses the following format:
rmme<4 random numbers>.bat
Peer-to-Peer file sharing
When ordered by a remote attacker, Backdoor:Win32/Gaertob.A checks for the following folders under the Program Files directory:
morpheus\my shared folder\
If the above mentioned folders are present it may drop a copy of itself to these folders using one of the following file names:
*Note: These filenames may have been modified due to their possibly offensive content.
Allows backdoor access and control
Backdoor:Win32/Gaertob.A allows unauthorized access and control of the affected computer. It joins a specified IRC channel and awaits commands from a remote attacker. Using this backdoor an attacker can perform the following actions:
- Download and execute arbitrary files
Update the trojan
Propagate via MSN Messenger by sending a copy of itself with filename _0014.jpeg-www.imageshack.exe
Propagate via p2p file sharing (see Spreads via… section above for additional detail)
Modifies system security settings
Backdoor:Win32/Gaertob.A modifies the following registry entry in order to add itself to the Windows firewall authorized applications list:
Modifies value: "List"
With data: "<Malware File>:*:enabled:windows firevall control c"
Modifies hosts file
Backdoor:Win32/Gaertob.A modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a Web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing Web sites associated with particular security-related applications (such as antivirus for example).
Backdoor:Win32/Gaertob.A modifies the hosts file to redirect the following hosts to localhost (127.0.0.1):
Modifies browser settings
Backdoor:Win32/Gaertob.A may change the affected user's home page to:
Analysis by Francis Allan Tan Seng