Backdoor:Win32/Momibot is a backdoor trojan that connects to remote servers to perform various actions on the infected computer.
Installation
When run, Backdoor:Win32/Momibot.gen!B copies itself to the Windows system folder using a random file name. It then runs its dropped copy.
It creates a random mutex to ensure that only one instance of itself is running.
It makes the following changes to the registry to ensure that its copy runs at each Windows start:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Win32Update"
With data: "<malware file name>"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Sets value: "Win32Update"
With data: "<malware file name>"
In subkey: HKLM\Software\Microsoft\OLE
Sets value: "Win32Update"
With data: "<malware file name>"
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Sets value: "Win32Update"
With data: "<malware file name>"
Payload
Modifies security settings
Backdoor:Win32/Momibot modifies the affected computer's security settings by making changes to the registry, for example, the malware:
- Attempts to disable Windows Firewall notifications from the Windows Security Centre:
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "FirewallDisableNotify"
With data: "1"
- Attempts to prevent various security products from running:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<program name>
Sets value: "Debugger"
With data: "ntsd -d"
Where <program name> may be one or more of the following:
- AVP32.EXE
- ArcaCheck.exe
- AvMonitor.exe
- CCenter.exe
- DRWEB32.EXE
- FAMEH32.EXE
- FPAVServer.exe
- FPWin.exe
- FSMA32.EXE
- GFRing3.exe
- HijackThis.exe
- KASMain.exe
- KASTask.exe
- KAV32.exe
- KAVDX.exe
- KAVPF.exe
- KAVPFW.exe
- KAVStart.exe
- KPFW32.exe
- KPFW32X.exe
- NAVNT.EXE
- NAVSTUB.EXE
- NAVW32.EXE
- NAVWNT.EXE
- Navapsvc.exe
- Navapw32.exe
- Nvcc.exe
- OllyDBG.EXE
- RegTool.exe
- SfFnUp.exe
- Vba32arkit.exe
- Zanda.exe
- Zlh.exe
- a2service.exe
- arcavir.exe
- ashDisp.exe
- ashEnhcd.exe
- ashServ.exe
- ashUpd.exe
- aswUpdSv.exe
- autoruns.exe
- avadmin.exe
- avcenter.exe
- avcls.exe
- avconfig.exe
- avconsol.exe
- avgnt.exe
- avgrssvc.exe
- avguard.exe
- avp.com
- avp.exe
- avscan.exe
- avz.exe
- avz4.exe
- avz_se.exe
- bdagent.exe
- bdinit.exe
- caav.exe
- caavguiscan.exe
- casecuritycenter.exe
- ccupdate.exe
- cfp.exe
- cfpupdat.exe
- cmdagent.exe
- drwadins.exe
- drwebupw.exe
- ekrn.exe
- filemon.exe
- fpscan.exe
- fsav32.exe
- fsgk32st.exe
- guardgui.exe
- guardxservice.exe
- guardxup.exe
- navigator.exe
- niu.exe
- nod32.exe
- nod32krn.exe
- outpost.exe
- preupd.exe
- procexp.exe
- pskdr.exe
- regedit.exe
- regmon.exe
- scan32.exe
- vba32ldr.exe
- vsserv.exe
- zapro.exe
- zonealarm.exe
- zoneband.dll
Allows backdoor access and control
The trojan attempts to allow raw sockets on the affected computer by making the following registry modification:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters
Sets value: "DisableRawSecurity"
With data: "1"
It does this so that it can listen for remote connections on various ports.
Some variants may connect to an IRC server, or download instructions from a website.
The backdoor also utilizes the UPnP protocol in its attempt to successfully initiate remote connections.
Contacts remote hosts
Some variants of Backdoor:Win32/Momibot may contact a remote host in order to receive and relay instructions. We have observed the trojan contacting the following remote hosts:
- hxxp://drocherweb.com
- hxxp://sekasanehvataet.com
- hxxp://5rublei.com
- hxxp://ShopVideoSchools.cn
- hxxp://ShopFilmWorld.cn
- hxxp://MartPictureExistence.cn
- hxxp://ShopPictureLife.cn
- hxxp://ShopPigLiving.cn
- hxxp://ShopVideoFest.cn
Analysis by Matt McCormack
