Backdoor:Win32/RDPopen.B is a trojan that allows backdoor access and control of your computer. It also bypasses the Windows Firewall and changes your computer's settings so that it considers executable files as low-risk.
Installation
Backdoor:Win32/RDPopen.B may have a random file name. It modifies the system registry as part of its installation process:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsof-Window-Hosting Service"
With data: "<malware file name>"
In subkey: HKLM\Software\Microsoft\Window-NT\CurrentVersion\Winlogon
Sets value: "Microsof-Window-Hosting Service"
With data: "<malware file name>"
Payload
Lowers your computer's security
Backdoor:Win32/RDPopen.B lowers your computer's security settings by doing the following:
- Changes firewall settings to allow itself to bypass the firewall:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "Microsof-Window-Hosting Service"
With data: "<malware file name>"
- Changes file association settings so that your computer considers executables, including other malware, to be low-risk (by default, .exe files are considered high-risk):
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations
Sets value: "LowRiskFileTypes"
With data: ".exe"
It also creates the following registry entry as part of its payload:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations
Sets value: "DefaultFileTypeRisk"
With data: "dword:30303030"
Allows backdoor access and control
Backdoor:Win32/RDPopen.B connects to the following servers at TCP port 8899 to wait for commands from a remote attacker:
- hbrl.info
- ifpl.info
- iifr.info
Analysis by Alden Pornasdoro
