Win32/Phdet is a multi-component family of backdoor trojans that are used to perform distributed denial of service (DDoS) attacks against specified targets.
When Win32/Phdet is run, it copies itself to <system folder>. The file name used may differ across variants.
In the wild, we have observed one variant using the file name "mssrv32.exe".
It changes registry entries so that it runs each time you start your PC, for example:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\msupdate
Sets value: "ImagePath"
With data: "<system folder>\<malware file name>", for example "C:Windows/System32\mssrv32.exe"
Sets value: "DisplayName"
With data: "Microsoft security update service"
Sets value: "Description"
With data: "This service downloading and installing Windows security updates"
Sets value: "ObjectName"
With data: "LocalSystem"
Sets value: "Start"
With data: "2"
Sets value: "ErrorControl"
With data: "0"
Sets value: "Type"
With data: "16"
Performs denial of service attacks
Win32/Phdet allows unauthorized access and control of your PC. Using this backdoor, an attacker can perform DDoS attacks against specified targets. A remote malicious hacker can perform the following actions on your PC:
- Perform "flood" (DDoS) attacks using the network protocols ICMP, SYN, HTTP or UDP
- Disable the trojan
- Uninstall the trojan
- Run a specified URL using Internet Explorer
Steals your sensitive information
These threats can steal your sensitive information and send it to a malicious hacker. This can include:
- Your domain accounts and passwords (SAM Security Accounts Manager- Active Directory)
- Recording which keys you press
- Stealing your user names and passwords from web browsers, mail clients and instant messenger clients
- Checking open ports of a remote machine
- Taking screenshots of your PC
We have seen some vairants using a third-party password recovery tool (The bat!) to collect your passwords.
Contacts remote host
Win32/Phdet can also connect to a remote host for instructions, and to send stolen informations from your PC to a malicious hacker. We have seen one sample contacting "<removed>-off.ru" for this purpose.
Analysis by Jireh Sanico and Scott Molenkamp