Pages

13 October 2011

Backdoor:Win32/Smadow.gen!B

Aliases :
Backdoor:Win32/Smadow.gen!B is also known as Backdoor.Maxplus.13 (Dr.Web), Maxplus (other).
Explanation :
Backdoor:Win32/Smadow.gen!B is a generic detection for malware that can perform different actions, such as executing other malware. The executed malware may be detected as TrojanDropper:Win32/Sirefef.B or Trojan:Win32/Sirefef.


Top
Backdoor:Win32/Smadow.gen!B is a generic detection for malware that can perform different actions, such as executing other malware. The executed malware may be detected as TrojanDropper:Win32/Sirefef.B or Trojan:Win32/Sirefef.


Installation
Some variants of this malware may be present in the Application Data directory:

%APPDATA%\.exe
The registry is modified to run the trojan at each Windows start.

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "AD Network"
With data: "%APPDATA%\.exe"

In the wild, we have observed some variants of Backdoor:Win32/Smadow.gen!B present with other malware including TrojanDropper:Win32/Sirefef.B or Trojan:Win32/Sirefef. Some variants of this malware attempt to connect with the following IP addresses to download arbitrary files:

    * 69.50.212.158
    * 193.105.154.218





Analysis by Patrik Vicol

0 comments: