Subscribe
The backdoor establishes a connection with the remote server on port 8080 and listens for commands.
These commands are extremely varied, and will provide the remote malicious user with full control of the victim machine, making it possible to harvest system information, download and launch files, create and move directories, execute a range of commands, modify system registry keys, terminate active processes, take screenshots of the desktop and send them to the remote malicious user, shut down the victim machine etc.
The backdoor also creates an uninfected Ichitaro document with an JTD extension. This replaces the Trojan file which installed the backdoor.
- Delete the backdoor file (the path to the file may be: %UserProfile%\Local Settings\Temp\ahah.exe).
- Delete the following files:
%System%\capapi32.dll %System%\netlib32.dll %System%\setups.bak
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This Trojan will provide a remote malicious user with access to the victim machine. The Trojan itself is a Windows PE EXE file.
This program will be installed on the victim machine by another malicious program — Trojan-Dropper.Ichitaro.Tarodrop.a which exploits a vulnerability in Ichitaro Office Suite.
InstallationOnce launched, the backdoor creates the following files, and launches them for execution:
%System%\capapi32.dll %System%\netlib32.dll %System%\setups.bak
The second and third files will be detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.Delf.pv.
Payload
Hot Articles