Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware

BACKDOOR.PHDET.A

 

 

Name:

Backdoor.Phdet.a

Added:

January 5, 2012

Type:

Backdoor

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

 

 

Malware problems?   We can help.  Free Removal Tools.

 

 

Description:

 

When Backdoor.Phdet.a is executed, it performs the following activities:
 
After execution it drops the following file:

%Windir%\system32\mssrv32.exe

It creates/modifies the following registry entries:

ImagePath = "%Windir%\system32\mssrv32.exe"
HKLM\SYSTEM\ControlSet001\Services\msupdate

DisplayName = "Microsoft security update service"
HKLM\SYSTEM\ControlSet001\Services\msupdate

ImagePath = "%Windir%\system32\mssrv32.exe"
HKLM\SYSTEM\CurrentControlSet\Services\msupdate

It creates a process by injecting itself into "svchost.exe". This backdoor also shows rootkit behavior and attempts to establish a remote connection with the web server: hxxp://1XX.1XX.XX0.XX:80
 

 

 

 

 

 

 

 
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware

“Delight yourself in the Lord and he will give you the desires of your heart.” Psalm 37:4