February 14, 2012
Doctor Web's virus laboratory has received an entire brood of these Trojan horses. BackDoor.Volk.1 was the first one. Curiously, this Trojan horse is written in PHP which is used primarily to create scripts and server applications and then converted into executable code with the php2exe utility. This malicious program modifies the hosts file that lists available DNS names and their respective IP addresses in the compromised system.
BackDoor.Volk can join into botnets controlled with a specially designed administration panel. Doctor Web's analysts got hold of a database dump from a server controlling a botnet comprised of BackDoor.Volk bots. The database contains entries for around 100 bots and infected machines are found in many countries. Most of them are located in Chile (31%) and Uruguay (13%), followed by Peru (8%), Argentina (4%) and Spain (3%). The least affected countries are the U.S. and India (2%), as well as Canada, Colombia, and Brazil (1%). The remaining 34% of infected machines are located in the country dubbed Unknown — some of them may be in Russia.
Unlike its predecessor, BackDoor.Volk.2 is written in Visual Basic and uses the POST routine instead of GET when accessing remote hosts to send requests. Apart from downloading and running applications and hosts file modification, this malware can carry out DDoS-attacks and is capable of stealing passwords stored by FTP-clients installed on the infected computer. It should be noted that the module used by BackDoor.Volk.2 to communicate with a remote server has earlier been implemented in another malicious program — BackDoor.Herpes whose source code appeared in the public domain a while ago.
BackDoor.Volk.3 and BackDoor.Volk.4 also written in Visual Basic, are BackDoor.Volk.2 modifications featuring different routines to communicate with a remote server. Other features are similar. The host file modification function of the Trojan horse is the most dangerous one since it can be used by criminals to redirect a potential victim to a phishing site while stolen FTP server access passwords may be used to get unauthorized access to various websites. Signatures of all known BackDoor.Volk modifications are added into the Dr.Web virus database.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.