Backdoor:Win32/Cycbot.B is a backdoor trojan that allows attackers unauthorized access and control of an affected computer. After a computer is infected, the trojan connects to a specific remote server to receive commands from attackers. The commands may include instructing the trojan to update itself, visit web links, or download and execute arbitrary files.
When executed, Backdoor:Win32/Cycbot.B copies itself to c:\documents and settings\administrator\application data\microsoft\svchost.exe.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
or subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "svchost"
With data: "c:\documents and settings\administrator\application data\microsoft\svchost.exe"
The malware creates the following files on an affected computer:
c:\documents and settings\administrator\application data\microsoft\stor.cfg
c:\documents and settings\administrator\application data\microsoft\windows\shell.exe
c:\documents and settings\administrator\local settings\temp\dwm.exe
These files store configuration and logging information for the malware.
Allows backdoor access and control
Backdoor:Win32/Cycbot.B allows unauthorized access and control of an affected computer. It does so by connecting to one of a number of web servers, which may respond with commands for it to execute. It may also send status information to these servers.
Examples of servers used by the malware include the following:
An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Cycbot.B. This could include, but is not limited to, the following actions:
Download and execute arbitrary files
Visit web links, possibly to collect money from pay-per-click advertising.
Modify system settings
Run or terminate applications
Downloads and installs additional malware
Backdoor:Win32/Cycbot.B has been observed to download and execute fake security software, such as Rogue:Win32/FakePAV.
Analysis by David Wood