Pages

06 November 2011

Backdoor:Win32/Mangzamel.A

Aliases :

Backdoor:Win32/Mangzamel.A is also known as BackDoor-FBR (McAfee), Troj/Mangzam-A (Sophos), Program.SkServer.7 (Dr.Web), Troj/Rootkit.IJ (Sophos).
Explanation :

Backdoor:Win32/Mangzamel.A is a trojan console application that can be instructed to perform certain actions by an attacker with access to the affected computer.


Top

Backdoor:Win32/Mangzamel.A is a trojan console application that can be instructed to perform certain actions by an attacker with access to the affected computer.



InstallationThis malware may be installed by another process or by a remote attacker with write access to the affected computer. The trojan accepts and responds to certain commands which are passed as arguments, for

example:

    * -v - sends data that identifies the version of the trojan
    * -t - installs the binary as a service named SEVNES
    * -i - verifies that the binary was successfully installed as a service



When installed to run as a service, the registry is modified to run the malware, as in the following example:

In subkey: HKLM\System\CurrentControlSet\Services\SEVNES
Sets value: "ImagePath"
With data: ""



Analysis by Vincent Tiu

0 comments: