Threat behavior
Backdoor:Win32/Otlard.A is a trojan that allows limited remote access and control of the computer by a remote attacker. The trojan could be instructed to download and execute arbitrary files.
Installation
This trojan may be installed by other malware. When it executes, it creates a mutex named "gootkit" and injects code into the Windows system process "svchost.exe".
Payload
Captures passwords
Backdoor:Win32/Otlard.A steals stored on the computer that are associated with the following commonly-used applications:
- Total Commander
- WSFTP
- CoffeeCup FTP
- Far
- Internet Explorer
- Opera
- Firefox
- CuteFtp
- Filezilla
- WinSCP
- Bulletproof FTP
- FlashFXP
- CoreFTP
- FF FTP
- Frigate
- FTP Commander
- FTP Explorer
- FtpRush
- SecureFX
- SmartFtp
- UltraFXP
Allows limited remote access and control
Backdoor:Win32/Otlard.A attempts to connect to the remote site "v00d00.org" to download remote access configuration data such as downloading and executing arbitrary files. The trojan awaits connection and commands from a remote attacker using TCP port 1315.
Analysis by Vincent Tiu
Prevention
