January 24, 2013
Recall that malware in the BackDoor.Butirat family can download and launch executables in an infected system after receiving an appropriate command from a control server and steal passwords stored by popular FTP-clients (FlashFXP, Total Commander, Filezilla, FAR, WinSCP, FtpCommander, SmartFTP and others).
Yet such backdoors use a rather common infection mechanism: they replicate themselves to a system folder and modify the registry so that the copy is launched automatically whenever Windows is loaded.
The distinguishing feature of BackDoor.Butirat.245 is a brand new routine to generate control server names. Earlier versions in the malware family had server names hardcoded. As was the case with the recently discovered version of BackDoor.BlackEnergy; Doctor Web's analysts, who examined BackDoor.Butirat.245, were in for a surprise: the program automatically generated third-level domain names. A respective second-level domain name turned out to be registered by a company that traditionally ignores any requests and complaints. Apparently, virus makers supposed that they could in this way increase the malicious program's persistence if one of their control servers is shut down.
The threat's signature has been added to Dr.Web virus databases, so BackDoor.Butirat.245 poses no threat to computers protected by Doctor Web anti-viruses.