Threat behavior
Backdoor:Win32/Blackhole.S is a component of a family of advertisement-click trojans. Such trojans click links in advertisements, provided by a remote server the trojan communicates with. The trojan may download additional malware and redirect users to new Web sites.
Installation
This trojan, when run, copies itself to the %windir% as 'mgrs.exe' and registers itself to run at each Windows start by adding a registry value.
Adds key: smgr
With value: mgrs.exe
In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Modifies System Security Settings
This trojan disables Windows Firewall, by modifying the following registry entry:
Modifies value: ProxyEnable
With data: 0
In subkey: HKEY_LOCAL_MACHINE\Sysystem\CurrentControlSet\HardwareProfiles\Current\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Backdoor Functionality
Win32/Blackhole.S retrieves a configuration file containing additional instructions for use by the trojan from the Web site 'setup.bestmanage.org'. The trojan can be instructed to:
Click various links provided by the host
Download additional malware and execute it
Redirect users to new Web sites
Prevention
