Backdoor:Win32/Mdmbot.B is a trojan that allows unauthorized access and control of an affected computer.
Installation
In the wild, Backdoor:Win32/Mdmbot.B has been distributed with the filename rasmon.dll.
When run, it copies itself to %temp%\c_1758.nls and modifies the registry to make it appear as though it is running as a system service:
Adds value: "ImagePath"
With data: "<system folder>\svchost.exe -k netsvcs"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\Ras[4 random characters]
Adds value: "ServiceDll"
With data: "%temp%\c_1758.nls"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]\Parameters
After the malicious service is started, it deletes the entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\Ras[4 random characters]
This prevents the affected user from properly stopping the malicious service.
Backdoor:Win32/Mdmbot.B also creates the following registry entries in order to store configuration information:
HKLM\Software\Sun\1.1.2\"IsoTp"
HKLM\Software\Sun\1.1.2\"AppleTlk"
Payload
Allows backdoor access and control
Backdoor:Win32/Mdmbot.B checks to see if the following files exist on the affected computer:
These files may be detected as
Backdoor:Win32/Mdmbot.C or
RemoteAccess:Win32/RealVNC. If these files exist then Backdoor:Win32/Mdmbot.B utilizes them to attain remote backdoor access to the affected computer. Using this backdoor an attacker can perform a number of different actions, including:
- Deleting itself
- Clearing the system log
- Deleting the file <system folder>\drivers\etc\networks.ics
- Retrieving CPU information from the following registry entry:
HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0
- Shutting down the affected computer
Connects to remote hosts
Backdoor:Win32/Mdmbot.B may contact a number of specified remote hosts.
Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
Analysis by Tim Liu
