Follow:

 

Backdoor:Win32/Belmoo.A


Backdoor:Win32/Belmoo.A is a trojan that opens TCP port 443 and could allow a connection from a remote attacker.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Backdoor:Win32/Belmoo.A is a trojan that opens TCP port 443 and could allow a connection from a remote attacker.
Installation
In the wild, this trojan is known to be delivered via JavaScript when browsing a hacked website using the web browser Firefox. When run, the trojan copies itself as the following file:
 
%windir%\temp\symantec.exe
 
The registry is modified to run the trojan at each Windows start.
 
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Windows Update"
To data: "%windir%\temp\symantec.exe"
Payload
Allows backdoor remote access and control
Backdoor:Win32/Belmoo.A checks for Internet connectivity by connecting to the domain "update.microsoft.com" using TCP port 80. The trojan then attempts to connect to the site "l-3com.dyndns-work.com" using TCP port 443, allowing backdoor remote access and control.
 
If the connection attempt fails, the trojan attempts to connect to the site "l-3com.dyndns.tv" using TCP port 80.
 
Analysis by Jaime Wong

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    %windir%\temp\symantec.exe
  • The presence of the following registry modifications:
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Microsoft Windows Update"
    To data: "%windir%\temp\symantec.exe"

Prevention


Alert level: Severe
First detected by definition: 1.93.562.0
Latest detected by definition: 1.93.562.0 and higher
First detected on: Oct 27, 2010
This entry was first published on: Oct 26, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win32/Belmoo (Norman)
  • BKDR_NINDYA.A (Trend Micro)