Backdoor:Win32/Ixeshe.E is a backdoor trojan that allows remote access and control of a computer. In the wild, this trojan is known to be dropped by malicious SWF files.
Installation
Backdoor:Win32/Ixeshe.E is known to be dropped by a malicious SWF file detected as Exploit:SWF/CVE-2011-0611.I, as the following file:
It may arrive with a PDF file icon.
It also drops the following LNK file that points to itself:
- <startup folder>\adobe reader speed launch.lnk
Note: <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
Payload
Allows backdoor access and control
Backdoor:Win32/Ixeshe.E connects to a remote website to accept commands from remote attacker. In the wild, it was observed to connect to the following IP address using port TCP 443:
If the affected computer has a proxy server enabled, Backdoor:Win32/Ixeshe.E is able to use it by reading the proxy settings in the registry and connecting to the remote website through it.
Once connected, a remote attacker may perform the following actions in the affected computer:
- Download/Upload files
- Execute arbitrary files
- Execute remote commands
- Delete arbitrary files
- Terminate processes
- List running processes
- List folders for files
- Sleeps the computer for a specified time
- May install modified copy of "CMD.EXE" with the name specified by the remote attacker
Analysis by Rex Plantado
