Backdoor:Win32/Hostil.gen!A

(?)

Encyclopedia entry
Updated: Apr 17, 2011 | Published: Apr 13, 2010

Aliases

Win-Trojan/Sasfis.165376.C

AhnLab

Trojan.Win32.Sasfis.aaek (Kaspersky)
W32/Malware.LOME (Norman)
Trojan horse Small.BSP (AVG)
Win32/Hostil.H (CA)
Trojan.Inject.8184 (Ikarus)
Generic BackDoor!cde (McAfee)
Trojan.Win32.Generic.51FA9C37 (Rising AV)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated:
Definition: 1.99.1783.0
Released: Mar 23, 2011

Detection initially created:
Definition: 1.51.227.0
Released: Feb 04, 2009

Summary

Backdoor:Win32/Hostil.gen!A is a backdoor trojan that allows unauthorized access and control to an affected computer.

Top

Symptoms

System changes

The following system changes may indicate the presence of this malware:

The presence of the following file:
<system>regedit.exe
The presence of the following registry modifications:

Adds value: "Calc32"

With data: "<system folder>\regedit.exe"

To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Top

Technical Information (Analysis)

Backdoor:Win32/Hostil.gen!A is a backdoor trojan that allows unauthorized access and control to an affected computer.

Installation

When executed, the malware injects code into svchost.exe then copies itself to <system>regedit.exe

and creates the following registry entry to ensure execution at each Windows start:

Adds value: "Calc32"

With data: "<system folder>\regedit.exe"

To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Payload

Allows backdoor access and control

The malware allows unauthorized access and control to an affected computer. It attempts to connect to a number of specified remote hosts via Port 25. We have observed the malware contacting the following remote hosts:

mxs.mail.ru

alt4.gmail-smtp-in-l.google.com

b.mx.mail.yahoo.com

in1.smtp.messagingengine.com

mx2.mailhop.org

Using this backdoor functionality, an attacker may be able to download and execute other files.

Additional Information

The code injected into "SVCHost.exe" creates two mutexes with names that use the following format:

mutogen<number>

Analysis by Dan Kurc

Top

Prevention

Take these steps to help prevent infection on your computer.

Top

Recovery

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.