Threat behavior
Backdoor:MSIL/Twoeebot.B is a detection for an obfuscated .NET backdoor trojan that connects to the Web site Twitter.com to retrieve and execute command from a specified Twitter user account page.
Installation
Backdoor:MSIL/Twoeebot.B may be generated by
Backdoor:MSIL/Twoeebot.A and distributed by the malware author. When run, Backdoor:MSIL/Twoeebot.B copies itself as the following:
The registry is modified to run the trojan at each Windows start:
Adds value: "svchost"
With data: "%APPDATA%\svchost.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Allows limited remote access and control
Backdoor:MSIL/Twoeebot.B periodically visits a user account on the domain Twitter.com to retrieve commands. The commands could include:
-
Download and execute a file from a specific remote location to %temp%
-
Send UDP packets to a specific IP address and port as a
DoS attack
-
Stop and uninstall itself
-
Start Internet Explorer and visit specific Web pages either as a visible window or in the background
Analysis by Shawn Wang
Prevention
