jcb
08-24-2005, 04:36 PM
Backdoor.Mepcod is a Trojan horse that opens a back door and downloads a file containing additional commands
Technical Details
When Backdoor.Mepcod is executed, it performs the following actions:
Copies itself as the following file:
%Windir%\McAfeeScanPlus.exe.
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
Drops the following file and opens it with mspaint.exe:
%CurrentFolder%\me.bmp
Note: %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.
Creates the following file, which is used to log account information:
%Windir%\winlogon9.log
Adds the value:
"McAfeeScanPlus" = %Windir%\McAfeeScanPlus.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
so that the risk runs every time Windows starts.
Adds the value:
"%Windir%\McAfeeScanPlus.exe" = "%Windir%\McAfeeScanPlus.exe:*:Enabled:McAfeeScanPl us"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\S haredAccess\
Parameters\FirewallPolicy\StandardProfile\Authoriz edApplications\List
to enable the backdoor functionality.
Attempts to download files from [http://]diji-realm.net/[REMOVED]/BN2005/LogMe.php
Attempts to download additional commands from [http://]diji-realm.net/[REMOVED]/BN2005/binfo.txt.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.mepcod.html#technicaldetails
Technical Details
When Backdoor.Mepcod is executed, it performs the following actions:
Copies itself as the following file:
%Windir%\McAfeeScanPlus.exe.
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
Drops the following file and opens it with mspaint.exe:
%CurrentFolder%\me.bmp
Note: %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.
Creates the following file, which is used to log account information:
%Windir%\winlogon9.log
Adds the value:
"McAfeeScanPlus" = %Windir%\McAfeeScanPlus.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
so that the risk runs every time Windows starts.
Adds the value:
"%Windir%\McAfeeScanPlus.exe" = "%Windir%\McAfeeScanPlus.exe:*:Enabled:McAfeeScanPl us"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\S haredAccess\
Parameters\FirewallPolicy\StandardProfile\Authoriz edApplications\List
to enable the backdoor functionality.
Attempts to download files from [http://]diji-realm.net/[REMOVED]/BN2005/LogMe.php
Attempts to download additional commands from [http://]diji-realm.net/[REMOVED]/BN2005/binfo.txt.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.mepcod.html#technicaldetails