Backdoor:Win32/Bigdipper.A

(?)

Encyclopedia entry
Updated: Apr 17, 2011 | Published: Mar 22, 2011

Aliases

TR/Dldr.Delphi.Gen

Avira

Troj/Scar-T (Sophos)
Backdoor:Win32/Agent.ABGA (other)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection initially created:
Definition: 1.101.20.0
Released: Mar 24, 2011

Summary

Backdoor:Win32/Bigdipper.A is a trojan that allows remote access and control.

Top

Symptoms

System changes

The following system changes may indicate the presence of this malware:

The presence of the following file:

%SystemRoot%\BDQX.EXE
The presence of the following registry modifications:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Sets value: "C:\lanmao.exe"

With data: "%SystemRoot%\BDQX.EXE"

In subkey: HKLM\SOFTWARE\C:\lanmao.exe

Sets value: "1"

With data: "2011-3-9 21:59:21"

Top

Technical Information (Analysis)

Backdoor:Win32/Bigdipper.A is a trojan that allows remote access and control.

Installation

This trojan may be installed by other malware. It is created by an attacker, using a construction kit, and is configured before being compiled. In one example, when the trojan is run, it copies itself as the following:

%SystemRoot%\BDQX.EXE

The registry is modified to run the trojan at each Windows start.

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Sets value: "C:\lanmao.exe"

With data: "%SystemRoot%\BDQX.EXE"

During installation, additional registry data is written, as in the following example:

In subkey: HKLM\SOFTWARE\C:\lanmao.exe

Sets value: "1"

With data: "2011-3-9 21:59:21"

The value data appears to be the date and time of trojan installation. The subkey varies, depending on the file name of the trojan. When the trojan runs, it launches the utility program "IPConfig.exe" and injects its code into this application's process to hide its own process in memory.

Payload

Opens TCP port

The trojan will create a connection to allow a remote attacker to gain access of the affected computer. In one example, the trojan connected to the local host using IP 127.0.0.1 and TCP port 8080.

Allows limited remote access and control

The trojan allows a remote attacker to perform the following actions on the affected computer:

Capture video
Log keystrokes
Open a command shell to execute other commands

A remote attacker could use an interface resembling the image below to connect to and control the affected computer:

Analysis by Xinrui Qin

Top

Prevention

Take these steps to help prevent infection on your computer.

Top

Recovery

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.