Encyclopedia entry
Updated:
May 14, 2010
| Published:
Dec 22, 2008
Aliases
Win32/VMalum.DJOR
(CA)
-
Backdoor.IRCBot.ACFL
(BitDefender)
-
Backdoor.Win32.IRCBot.dsi
(Kaspersky)
-
W32/Sdbot.worm
(McAfee)
-
W32.Spybot.Worm
(Symantec)
Alert Level
(?)
Severe
Antimalware protection details
Microsoft recommends that you download the
latest definitions
to get protected.
Detection last updated:
Definition: 1.91.1675.0
Released: Oct 13, 2010
|
|
Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008
|
Summary
Backdoor:Win32/Momibot.gen!B is a backdoor trojan that connects to certain IRC servers to perform various actions on the infected system.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
Technical Information (Analysis)
Backdoor:Win32/Momibot.gen!B is a backdoor trojan that connects to certain IRC servers to perform various actions on the infected system.
Installation
When run, Backdoor:Win32/Momibot.gen!B copies itself to the Windows system folder using a random file name. It then runs its dropped copy.
It creates the mutex 5t3xJHB19ZDx37t3F1 to ensure that only one instance of itself is running.
It modifies the system registry so that its dropped copy runs every time Windows starts:
Adds value: "Win32Update"
With data: "<malware file name>"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "Win32Update"
With data: "<malware file name>"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Adds value: "Win32Update"
With data: "<malware file name>"
To subkey: HKLM\Software\Microsoft\OLE
Adds value: "Win32Update"
With data: "<malware file name>"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Payload
Performs Backdoor Functionalities
Depending on the sample, Backdoor:Win32/Momibot.gen!B connects to an IRC server to receive certain commands. It may use port 6667 to access the Internet.
Analysis by Dan Kurc
Prevention
Recovery
