BackDoor.Pigeon1.5552

Technical Information

To ensure autorun and distribution:

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\Windows_rejoice2007_45] 'Start' = '00000002'

Malicious functions:

Creates and executes the following:

%CommonProgramFiles%\Microsoft Shared\MSInfo\svrhost.exe

Executes the following:

<SYSTEM32>\dumprep.exe 3300 -dm 7 7 %TEMP%\WER9e67.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 3248 -dm 7 7 %TEMP%\WER60bf.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 3300 -dm 7 7 %TEMP%\WER9e67.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 3352 -dm 7 7 %TEMP%\WERb7a4.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 3352 -dm 7 7 %TEMP%\WERb7a4.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 3248 -dm 7 7 %TEMP%\WER60bf.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 3140 -dm 7 7 %TEMP%\WER1082.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 3088 -dm 7 7 %TEMP%\WERfa43.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 3140 -dm 7 7 %TEMP%\WER1082.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 3192 -dm 7 7 %TEMP%\WER4fcf.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 3192 -dm 7 7 %TEMP%\WER4fcf.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 3408 -dm 7 7 %TEMP%\WERed05.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 3620 -dm 7 7 %TEMP%\WER735b.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 3568 -dm 7 7 %TEMP%\WER5a16.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 3620 -dm 7 7 %TEMP%\WER735b.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 3684 -dm 7 7 %TEMP%\WERada0.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 3684 -dm 7 7 %TEMP%\WERada0.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 3568 -dm 7 7 %TEMP%\WER5a16.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 3460 -dm 7 7 %TEMP%\WER05c4.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 3408 -dm 7 7 %TEMP%\WERed05.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 3460 -dm 7 7 %TEMP%\WER05c4.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 3512 -dm 7 7 %TEMP%\WER3d92.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 3512 -dm 7 7 %TEMP%\WER3d92.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 3088 -dm 7 7 %TEMP%\WERfa43.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 2668 -dm 7 7 %TEMP%\WERb515.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 2616 -dm 7 7 %TEMP%\WER930c.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 2668 -dm 7 7 %TEMP%\WERb515.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 2720 -dm 7 7 %TEMP%\WERedf4.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 2720 -dm 7 7 %TEMP%\WERedf4.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 2616 -dm 7 7 %TEMP%\WER930c.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\cmd.exe /c "%CommonProgramFiles%\Microsoft Shared\MSINFO\Delet.bat"
<SYSTEM32>\calc.exe
<SYSTEM32>\dumprep.exe 2504 -dm 7 7 %TEMP%\WER4d63.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\rundll32.exe <SYSTEM32>\sysdm.cpl,NoExecuteProcessException <SYSTEM32>\calc.exe
<SYSTEM32>\dumprep.exe 2504 -dm 7 7 %TEMP%\WER4d63.dir00\calc.exe.hdmp 16325836412027096
<SYSTEM32>\dumprep.exe 2772 -dm 7 7 %TEMP%\WER0703.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 2984 -dm 7 7 %TEMP%\WERa202.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 2932 -dm 7 7 %TEMP%\WER8983.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 2984 -dm 7 7 %TEMP%\WERa202.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 3036 -dm 7 7 %TEMP%\WERdb66.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 3036 -dm 7 7 %TEMP%\WERdb66.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 2932 -dm 7 7 %TEMP%\WER8983.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 2824 -dm 7 7 %TEMP%\WER3fef.dir00\calc.exe.mdmp 16325836412027076
<SYSTEM32>\dumprep.exe 2772 -dm 7 7 %TEMP%\WER0703.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 2824 -dm 7 7 %TEMP%\WER3fef.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 2876 -dm 7 7 %TEMP%\WER50e4.dir00\calc.exe.hdmp 16325836412027088
<SYSTEM32>\dumprep.exe 2876 -dm 7 7 %TEMP%\WER50e4.dir00\calc.exe.mdmp 16325836412027076

Injects code into

the following system processes:

<SYSTEM32>\calc.exe

Modifies file system :

Creates the following files:

%TEMP%\WER9e67.dir00\calc.exe.mdmp
%TEMP%\WER9e67.dir00\calc.exe.hdmp
%TEMP%\WER60bf.dir00\manifest.txt
%TEMP%\WER60bf.dir00\calc.exe.hdmp
%TEMP%\WER60bf.dir00\appcompat.txt
%TEMP%\WER9e67.dir00\appcompat.txt
%TEMP%\WERb7a4.dir00\appcompat.txt
%TEMP%\WERb7a4.dir00\manifest.txt
%TEMP%\WERb7a4.dir00\calc.exe.hdmp
%TEMP%\WER9e67.dir00\manifest.txt
%TEMP%\WERb7a4.dir00\calc.exe.mdmp
%TEMP%\WER1082.dir00\calc.exe.hdmp
%TEMP%\WER1082.dir00\appcompat.txt
%TEMP%\WER1082.dir00\calc.exe.mdmp
%TEMP%\WERfa43.dir00\appcompat.txt
%TEMP%\WERfa43.dir00\manifest.txt
%TEMP%\WER1082.dir00\manifest.txt
%TEMP%\WER4fcf.dir00\manifest.txt
%TEMP%\WER60bf.dir00\calc.exe.mdmp
%TEMP%\WER4fcf.dir00\appcompat.txt
%TEMP%\WER4fcf.dir00\calc.exe.mdmp
%TEMP%\WER4fcf.dir00\calc.exe.hdmp
%TEMP%\WER5a16.dir00\appcompat.txt
%TEMP%\WER5a16.dir00\manifest.txt
%TEMP%\WER5a16.dir00\calc.exe.hdmp
%TEMP%\WER3d92.dir00\manifest.txt
%TEMP%\WER5a16.dir00\calc.exe.mdmp
%TEMP%\WER735b.dir00\calc.exe.mdmp
%TEMP%\WERada0.dir00\calc.exe.mdmp
%TEMP%\WERada0.dir00\calc.exe.hdmp
%TEMP%\WER735b.dir00\manifest.txt
%TEMP%\WER735b.dir00\calc.exe.hdmp
%TEMP%\WER735b.dir00\appcompat.txt
%TEMP%\WERed05.dir00\manifest.txt
%TEMP%\WER05c4.dir00\calc.exe.mdmp
%TEMP%\WERed05.dir00\appcompat.txt
%TEMP%\WERed05.dir00\calc.exe.mdmp
%TEMP%\WERed05.dir00\calc.exe.hdmp
%TEMP%\WER05c4.dir00\calc.exe.hdmp
%TEMP%\WER3d92.dir00\calc.exe.hdmp
%TEMP%\WER3d92.dir00\appcompat.txt
%TEMP%\WER3d92.dir00\calc.exe.mdmp
%TEMP%\WER05c4.dir00\appcompat.txt
%TEMP%\WER05c4.dir00\manifest.txt
%TEMP%\WERfa43.dir00\calc.exe.hdmp
%TEMP%\WERb515.dir00\manifest.txt
%TEMP%\WERedf4.dir00\calc.exe.mdmp
%TEMP%\WERb515.dir00\appcompat.txt
%TEMP%\WERb515.dir00\calc.exe.mdmp
%TEMP%\WERb515.dir00\calc.exe.hdmp
%TEMP%\WERedf4.dir00\calc.exe.hdmp
%TEMP%\WER0703.dir00\calc.exe.hdmp
%TEMP%\WER0703.dir00\appcompat.txt
%TEMP%\WER0703.dir00\calc.exe.mdmp
%TEMP%\WERedf4.dir00\appcompat.txt
%TEMP%\WERedf4.dir00\manifest.txt
%TEMP%\WER4d63.dir00\calc.exe.mdmp
%TEMP%\WER4d63.dir00\calc.exe.hdmp
%CommonProgramFiles%\Microsoft Shared\MSInfo\Delet.bat
%CommonProgramFiles%\Microsoft Shared\MSInfo\svrhost.exe
<SYSTEM32>\_svrhost.exe
%TEMP%\WER4d63.dir00\appcompat.txt
%TEMP%\WER930c.dir00\appcompat.txt
%TEMP%\WER930c.dir00\manifest.txt
%TEMP%\WER930c.dir00\calc.exe.hdmp
%TEMP%\WER4d63.dir00\manifest.txt
%TEMP%\WER930c.dir00\calc.exe.mdmp
%TEMP%\WERa202.dir00\calc.exe.hdmp
%TEMP%\WERa202.dir00\appcompat.txt
%TEMP%\WERa202.dir00\calc.exe.mdmp
%TEMP%\WER8983.dir00\appcompat.txt
%TEMP%\WER8983.dir00\manifest.txt
%TEMP%\WERa202.dir00\manifest.txt
%TEMP%\WERdb66.dir00\manifest.txt
%TEMP%\WERfa43.dir00\calc.exe.mdmp
%TEMP%\WERdb66.dir00\appcompat.txt
%TEMP%\WERdb66.dir00\calc.exe.mdmp
%TEMP%\WERdb66.dir00\calc.exe.hdmp
%TEMP%\WER3fef.dir00\appcompat.txt
%TEMP%\WER3fef.dir00\manifest.txt
%TEMP%\WER3fef.dir00\calc.exe.hdmp
%TEMP%\WER0703.dir00\manifest.txt
%TEMP%\WER3fef.dir00\calc.exe.mdmp
%TEMP%\WER50e4.dir00\calc.exe.mdmp
%TEMP%\WER8983.dir00\calc.exe.mdmp
%TEMP%\WER8983.dir00\calc.exe.hdmp
%TEMP%\WER50e4.dir00\manifest.txt
%TEMP%\WER50e4.dir00\calc.exe.hdmp
%TEMP%\WER50e4.dir00\appcompat.txt

Sets the 'hidden' attribute to the following files:

<SYSTEM32>\_svrhost.exe
%CommonProgramFiles%\Microsoft Shared\MSInfo\svrhost.exe

Deletes itself.

Network activity:

Connects to:

'localhost':8181

Miscellaneous:

Searches for the following windows:

ClassName: 'TRE20070711' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'MS_WINHELP' WindowName: ''

Tecnologías

Términos

Formación y educación

Mitos

Technical Information

Curing recommendations

Free trial