BACKDOOR.CYCBOT.CFGA (Personal Shield Pro)
Name:
Backdoor.Cycbot.cfga
Added:
September 8, 2011
Type:
Backdoor
Risk:
Low
Payload:
N/A
At risk systems:
Windows 95/98/ME/XP/NT/2003
Description:
When Backdoor.Cycbot.cfga is executed, it installs the Rogueware application, "Personal Shield Pro" and performs the following activities: After execution, it creates the following folder:%allusersprofile%\{RandomName}It drops the folowing files:%allusersprofile%\{Random-Name}\{RandomName}.exe%appdata%\Microsoft\conhost.exe%appdata%\954A.727%appdata%\dwm.exe%homepath%\Local Settings\Temp\3.tmp%homepath%\Local Settings\Temp\4.tmp%homepath%\Local Settings\Temp\5.tmp%homepath%\Local Settings\Temp\6.tmp%homepath%\Local Settings\Temp\7.tmp%homepath%\Local Settings\Temp\8.tmp%homepath%\Local Settings\Temp\a98E9.tmp%homepath%\Local Settings\Temp\csrss.exe%homepath%\Local Settings\Temp\t5366.tmpUpon execution of "%allusersprofile%\{Random-Name}\{RandomName}.exe" it installs the fake antivirus on the system.It creates/modifies the following registry entries:Shell= "explorer.exe,%appdata%\dwm.exe"HKCU\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorerconhost= "%appdata%\Microsoft\conhost.exe"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run{RandomName}=%allusersprofile%\{Random-Name}\{RandomName}.exeHKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Malware problems?We can help.
Evaluate Thirtyseven4 Antivirus Now
“Delight yourself in the Lord and he will give you the desires of your heart.” Psalm 37:4
