February 18, 2016
This malicious program named BackDoor.Andromeda.1407 is spread by Trojan.Sathurbot.1, a downloader Trojan, which is also known as “Hydra”. BackDoor.Andromeda.1407 is mainly designed to execute cybercriminals’ instructions, including downloading and installation of malware applications.
Once launched, it checks a command line for the presence of the “/test” key. If the key is detected, it prints to the console a message containing the following text: “\n Test - OK”. In 3 seconds, it terminates itself. Probably, this function was intended to test program packers. Shortly after that, the Trojan scans the system for running virtual machines, applications that monitor processes or references to the system registry, and some other debuggers. At finding any program that poses a threat to the Trojan, the backdoor goes to an infinite sleep mode.
After that, BackDoor.Andromeda.1407 gets the system volume ID, which is used while generating values of different named objects—in particular, in environment variables and messages sent to the server. It then attempts to inject its code into another process and terminate the original one. If successful, it gathers information about the infected computer including the operating system capacity, its version, and current user privileges and keyboard layouts. Once the backdoor detects that Windows uses Russian, Ukrainian, Belorussian or Kazakh keyboards, it then terminates its operation and deletes itself from the system.
Then BackDoor.Andromeda.1407 tries to get the exact time value by referring to such servers as europe.pool.ntp.org, north-america.pool.ntp.org, south-america.pool.ntp.org, asia.pool.ntp.org, oceania.pool.ntp.org, africa.pool.ntp.org, and pool.ntp.org. If these servers do not respond with necessary information, the backdoor sends a request for system time. Time value is actively used by plug-ins of the Trojan. Demonstration of the Windows system notifications is then disabled, along with some system services depending on the operating system version.
If the compromised machine runs Microsoft Windows 8 or later, the Trojan continues operating with current user privileges. In Windows 7, BackDoor.Andromeda.1407 tries to elevate its own privileges by using one of well-known methods and disables User Accounts Control (UAC).
However, the installation procedure is not complete after that. The Trojan disables demonstration of hidden files in Windows Explorer. Then it starts referring to several system and user profile directories in order to find one open for write. Once a folder is found, the backdoor copies the dropper into it under an arbitrary name and assigns this file with the “hidden” and “system” attributes concealing it from the user. Time of its creation is also changed. Finally, BackDoor.Andromeda.1407 modifies the system registry branches, so the Trojan’s main module can be launched automatically.
Doctor Web security researches discovered that BackDoor.Andromeda.1407 can download and install the Trojan.Encoder.3905 ransomware Trojan, the Trojan.PWS.Panda.2401 banking Trojan, Trojan.Click3.15886, BackDoor.Siggen.60436, Trojan.DownLoader19.26835, and many others. Dr.Web successfully detects and removes BackDoor.Andromeda.1407.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.