The Dangers of 64-Bit Trojans

The Dangers of 64-Bit Trojans

Backdoor.conpee uses stolen certificates and creates the following files: %Temp%f[FIVE RANDOM NUMBERS]5.dat , %Temp%f[THREE RANDOM NUMBERS].dat , %Temp%system_001.dmp , %Temp%VX[FOUR RANDOM NUMBERS].tmp ,

and modifies HKEY_LOCAL_MACHINESYSTEMControlSet001services[SERVICE NAME]"Start" = "2" and HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices[SERVICE NAME]"FailureActions" = "[RANDOM CHARACTERS]"

which then performs upload, delete, install, start and stop plug ins, update and download clients and files, opens a shell, sets the upload and download speed, and suddenly restarts or shuts down your computer. It can also alleviate the restrictions of an account making it an administrator without the administrator's knowledge. Backdoor. conpee comes with a Kernel Mode Signing and Kernel Patch Protection that makes it also vulnerable to Malware.

Use a firewall to avoid backdoor virus' infection online. Keep your patch updated and make low privileges but make tasks of the user still doable. Also, disable Auto play to avoid automatic running of programs. With that, make restrictions on what sites you just want access to.

The Dangers of 64-Bit Trojans

According to Symantec, their discovery of the Backdoor.Conpee Trojan virus was on March 6, 2012. Systems that were reported to be affected are Windows 2000, Windows 95, Windows 98, Windows Millennium, Windows NT, Windows Server 2003, Windows Server 2008, Windows XP, Windows Vista, and Windows 7. When a computer is infected and the Trojan is executed, it will create the following files:

• %Temp%f[FIVE RANDOM NUMBERS]5.dat
• %Temp%f[THREE RANDOM NUMBERS].dat
• %Temp%system_001.dmp

Aside from the 3 files listed above, it will also create one of the following files:

• %System%msupmgr.dll
• %System%wuaucli.dll
• %System%mspatch.dll
• %System%advpacket.dll
• %System%mscmmc.dll

After creating one of the files listed above, it will then modify one of the following files:

• %System%mspatcha.dll
• %System%tcpmon.dll
• %System%spoolss.dll
• %System%wuaueng.dll
• %System%mspatcha.dll
• %System%advpack.dll
• %System%mscms.dll

Additionally, in case the machine is running on a 64-bit operating system, the Trojan will create the file %Temp%VX[FOUR RANDOM NUMBERS].tmp. After that, it starts one of the following services:

• spooler​
• wuauserv​
• stisvc

Once the service is running, it will modify the following registry entries associated to the service:

• HKEY_LOCAL_MACHINESYSTEMControlSet001services[SERVICE NAME]"Start" = "2"
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices[SERVICE NAME]"FailureActions" = "[RANDOM CHARACTERS]"

Finally, the Trojan opens a back door that will allow an attacker to do the following actions: update the client, upload and download files, open a shell, configure the upload and download speeds, shutdown or restart the computer, or add new functionality by means of a plug-in.