Follow:

 

Backdoor:Win32/Cycbot.B


Backdoor:Win32/Cycbot.B is a backdoor trojan that allows attackers unauthorized access and control of an affected computer. After a computer is infected, the trojan connects to a specific remote server to receive commands from attackers. The commands may include instructing the trojan to update itself, visit web links, or download and execute arbitrary files.


What to do now

To detect and remove this threat and other malicious software that may have been installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following: For more information about using antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Backdoor:Win32/Cycbot.B is a backdoor trojan that allows attackers unauthorized access and control of an affected computer. After a computer is infected, the trojan connects to a specific remote server to receive commands from attackers. The commands may include instructing the trojan to update itself, visit web links, or download and execute arbitrary files.
Installation
When executed, Backdoor:Win32/Cycbot.B copies itself to c:\documents and settings\administrator\application data\microsoft\svchost.exe.

The malware modifies the following registry entries to ensure that its copy executes at each Windows start:

To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
or subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "svchost"
With data: "c:\documents and settings\administrator\application data\microsoft\svchost.exe"

The malware creates the following files on an affected computer:
 
  • c:\documents and settings\administrator\application data\microsoft\stor.cfg
  • c:\documents and settings\administrator\application data\microsoft\windows\shell.exe
  • c:\documents and settings\administrator\local settings\temp\dwm.exe
These files store configuration and logging information for the malware.
Payload
Allows backdoor access and control
Backdoor:Win32/Cycbot.B allows unauthorized access and control of an affected computer. It does so by connecting to one of a number of web servers, which may respond with commands for it to execute. It may also send status information to these servers.
 
Examples of servers used by the malware include the following:
 
protectyourpc-11.com
qudeteyuj.cn
178.63.123.226
dolbyaudiodevice.com
zoneck.com
136136.com
motherboardstest.com
zonejm.com
freeonlinedatingtips.net
blenderartists.org
pcdocpro.com
historykillerpro.com
sharewareconnection.com
xy95.cn
8minutedating.com
securemywebconnection.com
mywwwarchive.com
testpcdriversonline.com
biggamemonitoring.com
bigkeystore.com
internetsecure.com
 
An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Cycbot.B. This could include, but is not limited to, the following actions:
  • Download and execute arbitrary files
  • Update itself
  • Stop running
  • Visit web links, possibly to collect money from pay-per-click advertising.
  • Modify system settings
  • Run or terminate applications
  • Delete files
 
Downloads and installs additional malware
Backdoor:Win32/Cycbot.B has been observed to download and execute fake security software, such as Rogue:Win32/FakePAV.
 
Analysis by David Wood

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
  • c:\documents and settings\administrator\application data\microsoft\stor.cfg
    c:\documents and settings\administrator\application data\microsoft\svchost.exe
    c:\documents and settings\administrator\application data\microsoft\windows\shell.exe
    c:\documents and settings\administrator\local settings\temp\dwm.exe
  • The presence of the following registry modifications:
  • To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    or subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Adds value: "svchost"
    With data: "c:\documents and settings\administrator\application data\microsoft\svchost.exe"
  • Reports of infections of Rogue:Win32/FakePAV

Prevention


Alert level: Severe
First detected by definition: 1.91.874.0
Latest detected by definition: 1.177.270.0 and higher
First detected on: Sep 30, 2010
This entry was first published on: Oct 13, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • TROJ_FAKELRT.SMC (Trend Micro)