Follow:

 

Backdoor:Win32/Bezigate.B


Microsoft security software detects and removes this threat.

Backdoor:Win32/Bezigate.B is a trojan that allows backdoor access and control of your computer. Using this backdoor, the trojan can perform any number of actions on your computer, including but not limited to stealing personal information and files and sending these to a remote attacker.



What to do now

The following Microsoftsoftware detects and removes this threat:

Threat behavior

Installation

Backdoor:Win32/Bezigate.B drops drops and runs copies of itself in one of the following folders:

as any of the following file names:

  • 123.exe
  • 456.exe
  • microdbs.exe
  • mscon.exe
  • mscon.exe
  • msiexc.exe
  • msizap.exe
  • msupdt32.exe
  • mypass.exe
  • spsreng.exe
  • stub2546.exe
  • xtreme.exe

The malware makes the following changes to the registry to ensure that it runs each time you start your computer:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>" for example, "456"
With data: "<malware file path>" for example, "C:\Windows\456.exe"

Payload

Allows backdoor access and control

Backdoor:Win32/Bezigate.B attempts to communicate with hackers using the following combinations of domains and ports:

  • 78.184.197.86 1604
  • abdelsamed666.no-ip.com 5050
  • all.evilpacket.org 7709
  • barod.no-ip.biz 1515
  • ermenello.servegame.com 4781
  • fofo-123.no-ip.biz 1515
  • hack4ps.no-ip.info 131
  • jorlu.sytes.net 645
  • m30w.evilpacket.org 7709
  • monbebe.no-ip.org 1515
  • mrkarar.np-ip.ibz 1515
  • network-info.sytes.net 1604
  • nikt0x.no-ip.biz 1515
  • niku.uk.to 1515
  • nnqi.vicp.cc 81
  • r0x0r.no-ip.org 1515
  • rawr.evilpacket.org 7709
  • sorbbolindo.no-ip.biz 1515
  • topcumt2.zapto.org 1604
  • updupdupd.servepics.com 1604

Once it connects with a hacker, Backdoor:Win32/Bezigate.B allows backdoor access control of your computer, allowing hackers to perform any number of actions, including but not limited to:

  • Stealing information about your computer
  • Stopping and starting processes
  • Creating/removing/copying/moving/modifying files and folders
  • Open and close browser windows
  • Enumerating/modifying/starting/stopping running services
  • Enumerating and modifying the Windows registry
  • Logging keystrokes and stealing sensitive information
  • Retrieving files from your computer and sending them to the hacker

Analysis by Gabriel Plouffe, Duc Nguyen & Edgardo Diaz Jr


Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    • 123.exe
    • 456.exe
    • microdbs.exe
    • mscon.exe
    • mscon.exe
    • msiexc.exe
    • msizap.exe
    • msupdt32.exe
    • mypass.exe
    • spsreng.exe
    • stub2546.exe
    • xtreme.exe

  • You see this entry in your registry:

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<malware file name>"
    With data: "<malware file path>"
 

Prevention


Alert level: Severe
First detected by definition: 1.141.2130.0
Latest detected by definition: 1.185.1915.0 and higher
First detected on: Dec 18, 2012
This entry was first published on: Dec 18, 2012
This entry was updated on: Sep 18, 2013

This threat is also detected as:
No known aliases