Threat behavior
Backdoor:Win32/Darkshell.A is a detection for a backdoor that connects to a remote server to receive commands from attackers, which can include instructions to spread to other computers.
Installation
When executed, Backdoor:Win32/Darkshell.A drops a copy of itself to the <system folder> as regedit32.exe and registers itself to run at each Windows start.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware also drops the following file:
Spreads via…
Removable drives
The malware copies itself to the root directory:
It also places an AutoRun.inf file in the root directory of the targeted drive. Such AutoRun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
It should also be noted that AutoRun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
Payload
Allows backdoor access and control
In the wild, we have observed Backdoor:Win32/Darkshell.A attempting to contact the following remote host through port 80:
Using this backdoor, an attacker can perform a number of actions on the affected computer. In the wild, we have observed Backdoor:Win32/Darkshell.A receiving instructions to perform a
Distributed Denial or Service Attack.
Analysis by Tim Liu
Prevention
