Backdoor:Win32/Talsab.C is a trojan that records keystrokes and allows unauthorized access and control of your computer.
Installation
Backdoor:Win32/Talsab.C is typically installed in the %APPDATA% folder by other malware such as the following:
Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Roaming".
In the wild, we have observed Backdoor:Win32/Talsab.C installed with the following names:
- rundll.exe
- dllhost.exe
- scrss.exe
Backdoor:Win32/Talsab.C modifies the following registry entry to ensure that its copy runs at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ctfmon"
With data: "%APPDATA%\<malware file name>", for example "%APPDATA%\rundll.exe"
The trojan drops the file "pagefile.sys" in the %APPDATA% folder, which it uses to store captured keystrokes.
Payload
Allows backdoor access and control
Backdoor:Win32/Talsab.C attempts to connect to the following C&C (command and control) servers, using variable ports, to allow unauthorized access and control of your computer:
- 69.162.85.234
- 184.171.161.1
- 205.251.140.1
- serkan0132.zapto.org
An attacker can perform any number of actions on your computer using Backdoor:Win32/Talsab.C. This could include, but is not limited to, the following actions:
- Download and execute arbitrary files
- Upload files
- Delete files
- Take a screenshot
- Modify system settings
- Log keystrokes
- Run or terminate applications
- Capture images taken by your webcam
Related encyclopedia entries
Trojan:Win32/Delf.KQ
Trojan:Win32/DelfInject.A
Trojan:Win32/Qhost.gen!D
Trojan:Win32/VB.AED
Trojan:Win32/VB.LV
TrojanDropper:Win32/Swisyn
VirTool:Win32/DelfInject.gen!BI
VirTool:Win32/Keylogger.A
VirTool:Win32/VBInject
Analysis by Mihai Calota
