September 8, 2013
In a compromised system, the Trojan launches the file temp.exe to bypass the UAC. The file extracts a library to bypass the UAC and injects its code into the process explorer.exe, after which the library is saved into a system folder. Then, upon launching the utility sysrep, the library code launches the malignant application ps.exe which is detected by the Dr.Web anti-virus as Trojan.MulDrop4.61259. In turn, this file saves another library to a different folder. The library file is registered in the Windows Registry as a service with the name "Net Security Service" and the following description: “keep watch on system security and configuration.if this services is stopped, protoected content might not be down loaded to the device”. This library contains the main backdoor payload.
When launched, BackDoor.Saker.1 collects information about the compromised system, including the Windows version, CPU frequency, available RAM, computer name, user login and the hard disk serial number, and transmits it to criminals. Next, the Trojan creates a file in a system folder into which user keystrokes are logged. After this, the backdoor awaits a remote server’s response, which may involve commanding the backdoor to reboot, shut down, remove itself, start a separate thread to execute commands via a shell, or even run its own file manager which can upload files from an infected machine, download files via the network, create folders, and delete, move and run files.
The threat's signature has been added to Dr.Web virus databases, so BackDorr.Saker.1 poses no threat to computers protected by Doctor Web anti-viruses.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.