Follow:

You have been re-routed to the Backdoor:Win32/Gaertob.A write up because Backdoor%3aWin32%2fGaertob.A has been renamed to Backdoor:Win32/Gaertob.A
 

Backdoor:Win32/Gaertob.A


Backdoor:Win32/Gaertob.A is a trojan that allows unauthorized access and control of an affected computer. It may be ordered by a remote attacker to spread via peer-to-peer file sharing. It may also change the affected user's browser Start page.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
Additional remediation instructions for Backdoor:Win32/Gaertob.A
This threat may make lasting changes to an affected system’s configuration that will NOT be restored by detecting and removing this threat. For more information on returning an affected system to its pre-infected state, please see the following article/s: 

Threat behavior

Backdoor:Win32/Gaertob.A is a trojan that allows unauthorized access and control of an affected computer. It may be ordered by a remote attacker to spread via peer-to-peer file sharing. It may also change the affected user's browser Start page.
Installation
When executed, Backdoor:Win32/Gaertob.A copies itself to %windir%\rundll.exe and modifies the registry to execute this copy at each Windows start:
Adds value: "Windows Firevall Control C"
With data: "rundll.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Backdoor:Win32/Gaertob.A checks if it is loaded from one of the following processes, and if it is, it exits:
sandbox
honey
vmware
currentuser
 
Backdoor:Win32/Gaertob.A may create the mutex "nmmxm" in order to ensure that multiple copies of the trojan do not run simultaneously.
 
Backdoor:Win32/Gaertob.A also creates a batch file that it uses to delete its original executable. The filename of this batch file uses the following format:
  • rmme<4 random numbers>.bat
Spreads via…
Peer-to-Peer file sharing
When ordered by a remote attacker, Backdoor:Win32/Gaertob.A checks for the following folders under the Program Files directory:
 
icq\shared folder\
grokster\my grokster\
bearshare\shared\
edonkey2000\incoming\
emule\incoming\
morpheus\my shared folder\
limewire\shared\
tesla\files\
winmx\shared\
 
If the above mentioned folders are present it may drop a copy of itself to these folders using one of the following file names:
 
HotmailHacker.exe
YahooCracker.exe
MSNHacks.exe
paris-hilton.scr
VistaUltimate-Crack.exe
image.scr
Porno.MPEG.exe
LimeWireCrack.exe
RapidsharePREMIUM.exe
WildHorneyTeens.scr
Ebooks.exe
How-to-make-money.exe
ScreenMelter.exe
DDOSPING.exe
Wireshark.exe
Autoloader.exe
FREEPORN.exe
f**ksh*tc**t.scr
ilovetof**k.scr
 
*Note: These filenames may have been modified due to their possibly offensive content.
Payload
Allows backdoor access and control
Backdoor:Win32/Gaertob.A allows unauthorized access and control of the affected computer. It joins a specified IRC channel and awaits commands from a remote attacker. Using this backdoor an attacker can perform the following actions:
  • Download and execute arbitrary files
  • Update the trojan
  • Terminate processes
  • Propagate via MSN Messenger by sending a copy of itself with filename _0014.jpeg-www.imageshack.exe
  • Propagate via p2p file sharing (see Spreads via… section above for additional detail) 
 
Modifies system security settings
Backdoor:Win32/Gaertob.A modifies the following registry entry in order to add itself to the Windows firewall authorized applications list:
 
Modifies value: "List"
With data: "<Malware File>:*:enabled:windows firevall control c"
To subkey:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
 
Modifies hosts file
Backdoor:Win32/Gaertob.A  modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a Web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing Web sites associated with particular security-related applications (such as antivirus for example).
 
Backdoor:Win32/Gaertob.A modifies the hosts file to redirect the following hosts to localhost (127.0.0.1):
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky-labs.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
scanner.novirusthanks.org
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
threatexpert.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
virscan.org
viruslist.com
viruslist.com
virusscan.jotti.org
virustotal.com
www.avp.com
www.ca.com
www.f-secure.com
www.grisoft.com
www.grisoft.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.scanner.novirusthanks.org
www.sophos.com
www.symantec.com
www.trendmicro.com
www.virscan.org
www.viruslist.com
www.virusscan.jotti.org
www.virustotal.com
 
Modifies browser settings
Backdoor:Win32/Gaertob.A may change the affected user's home page to:
www.gllod.com
 
Analysis by Francis Allan Tan Seng

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    %windir%\rundll.exe
  • The presence of the following registry modifications:
  • Adds value: "Windows Firevall Control C"
    With data: "rundll.exe"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Modifies value: "List"
    With data: "<Malware File>:*:enabled:windows firevall control c"
    To subkey:
    HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
  • Your browser home page may be changed to www.gllod.com

Prevention


Alert level: Severe
First detected by definition: 1.49.2252.0
Latest detected by definition: 1.183.2422.0 and higher
First detected on: Jan 20, 2009
This entry was first published on: Dec 22, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan.Win32.Buzus.ctwu (Kaspersky)
  • W32/Obfuscated.A!genr (Norman)
  • Win32/Buzus.CTTV (ESET)