Threat behavior
Backdoor:Win32/Hostil.gen!A is a backdoor trojan that allows unauthorized access and control to an affected computer.
Installation
When executed, the malware injects code into svchost.exe then copies itself to <system>regedit.exe
and creates the following registry entry to ensure execution at each Windows start:
Adds value: "Calc32"
With data: "<system folder>\regedit.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Payload
Allows backdoor access and control
The malware allows unauthorized access and control to an affected computer. It attempts to connect to a number of specified remote hosts via Port 25. We have observed the malware contacting the following remote hosts:
mxs.mail.ru
alt4.gmail-smtp-in-l.google.com
b.mx.mail.yahoo.com
in1.smtp.messagingengine.com
mx2.mailhop.org
Using this backdoor functionality, an attacker may be able to download and execute other files.
Additional Information
The code injected into "
SVCHost.exe" creates two
mutexes with names that use the following format:
mutogen<number>
Analysis by Dan Kurc
Prevention
