Backdoor:Win32/Thoper.A

Backdoor:Win32/Thoper.A is a trojan that attempts to communicate, without authorization or user consent, with a predefined remote server.

Installation

This trojan is installed by TrojanDownloader:Win32/Thoper.A as a file named "winsvcfs.dll", as in the following example:

%APPDATA%\winsvcfs.dll (for example: "c:\Documents and Settings\All Users\Application Data\winsvcfs.dll")

The registry is modified to run Backdoor:Win32/Thoper.A at each Windows start.

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost
Sets value: "LocalService"
To data: "alerter"

In subkey: HKLM\System\CurrentControlSet\Services\winsvcfs\Parameters
Sets value: "ServiceDll"
To data: "%APPDATA%\winsvcfs.dll"

Payload

Backdoor:Win32/Thoper.A communicates with a predefined remote server to accept commands from a remote attacker. Variants of this trojan were observed to connect to various servers, including the following:

• bbs.afbjz.com:80
• catalog.join3com.com:80
• ihi.adv138mail.com:80
• hitney.servehalflife.com:80
• gm1.network-sec.net:80
• sms.servegame.com:443

The trojan was also observed to use other TCP ports such as 1900, 1034 and 1064.

Analysis by Jaime Wong