 | |  |
|
Backdoor:Win32/Talsab.C
(?)
Encyclopedia entry
Updated:
Oct 28, 2012
| Published:
Feb 10, 2011
Aliases
Win32/SchwarzeSonne.G
(ESET)
-
Win32/Spy.Swisyn.GE
(ESET)
-
Backdoor.Talsab!3F46
(Rising AV)
-
Backdoor.Yobdam!3F68
(Rising AV)
-
Backdoor.Win32.Yobdam
(Ikarus)
-
Backdoor.Win32.Yobdam.bdm
(Kaspersky)
-
Backdoor.Yobdam!SoPEuemo7UY
(VirusBuster)
-
Backdoor.Yobdam!mexVahcpS7A
(VirusBuster)
-
TR/Swisyn.aibt
(Avira)
-
BDS/Talsab.C.2
(Avira)
-
BackDoor.Rat.BB
(AVG)
Alert Level
(?)
Severe
Antimalware protection details
Microsoft recommends that you download the
latest definitions
to get protected.
Detection last updated:
Definition: 1.147.1653.0
Released: Apr 11, 2013
|
|
Detection initially created:
Definition: 1.97.1456.0
Released: Feb 10, 2011
|
Summary
Backdoor:Win32/Talsab.C
is a trojan that records keystrokes and allows unauthorized access and control of your computer.
Symptoms
System changes
The following system changes may indicate the presence of this malware:
- The presence of the following files:
%APPDATA%\dllhost.exe
%APPDATA%\pagefile.sys
%APPDATA%\rundll.exe
%APPDATA%\scrss.exe
- The presence of the following registry modification:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ctfmon"
With data: "%APPDATA%\<malware file name>", for example "%APPDATA%\rundll.exe"
Technical Information (Analysis)
Backdoor:Win32/Talsab.C
is a trojan that records keystrokes and allows unauthorized access and control of your computer.
Installation
Backdoor:Win32/Talsab.C
is typically installed in the %APPDATA% folder by other malware such as the following:
Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Roaming".
In the wild, we have observed Backdoor:Win32/Talsab.C installed with the following names:
-
rundll.exe
-
dllhost.exe
-
scrss.exe
Backdoor:Win32/Talsab.C
modifies the following registry entry to ensure that its copy runs at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ctfmon"
With data: "%APPDATA%\<malware file name>", for example "%APPDATA%\rundll.exe"
The trojan drops the file "pagefile.sys" in the %APPDATA% folder, which it uses to store captured keystrokes.
Payload
Allows backdoor access and control
Backdoor:Win32/Talsab.C
attempts to connect to the following C&C (command and control) servers, using variable ports, to allow unauthorized access and control of your computer:
-
69.162.85.234
-
184.171.161.1
-
205.251.140.1
-
serkan0132.zapto.org
An attacker can perform any number of actions on your computer using Backdoor:Win32/Talsab.C. This could include, but is not limited to, the following actions:
- Download and execute arbitrary files
- Upload files
- Delete files
- Take a screenshot
- Modify system settings
- Log keystrokes
- Run or terminate applications
- Capture images taken by your webcam
Related encyclopedia entries
Trojan:Win32/Delf.KQ
Trojan:Win32/DelfInject.A
Trojan:Win32/Qhost.gen!D
Trojan:Win32/VB.AED
Trojan:Win32/VB.LV
TrojanDropper:Win32/Swisyn
VirTool:Win32/DelfInject.gen!BI
VirTool:Win32/Keylogger.A
VirTool:Win32/VBInject
Analysis by Mihai Calota
Prevention
Recovery
To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
| |
 | |  |
