Threat behavior
Backdoor:WinNT/Festi.C is a backdoor trojan that allows limited remote access and control. The trojan connects to a remote website and retrieves instructions and commands from a remote attacker. The commands could instruct Backdoor:WinNT/Festi.C to distribute spam.
Installation
Backdoor:WinNT/Festi.C may be present as a randomly named file as in the following example:
<system folder>\drivers\zwgisvnbdeo7.sys
The dropped component is loaded into memory. It hooks system APIs to prevent access to the executable and to hide its presence in the registry services list.
Payload
Monitors data
The trojan attempts to monitor information sent over the network via the following applications:
-
Opera Browser
-
The Bat email client
-
Thunderbird client
-
msimn.exe
-
telnet.exe
Downloads configuration data
Backdoor:WinNT/Festi.C connects to a remote IP address to retrieve commands that could instruct the trojan to perform other actions including distribute spam.
Analysis by Daniel Radu
Prevention
