Hi,
I heard about 64-Bit trojans that can attack the vulnerabilities of Windows 7. What can backdoor.Conpee trojan do to 64-Bit systems? How can we prevent this kind of trojan?
Backdoor.conpee uses stolen certificates and creates the following files: %Temp%f[FIVE RANDOM NUMBERS]5.dat , %Temp%f[THREE RANDOM NUMBERS].dat , %Temp%system_001.dmp , %Temp%VX[FOUR RANDOM NUMBERS].tmp ,
and modifies HKEY_LOCAL_MACHINESYSTEMControlSet001services[SERVICE NAME]"Start" = "2" and HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices[SERVICE NAME]"FailureActions" = "[RANDOM CHARACTERS]"
which then performs upload, delete, install, start and stop plug ins, update and download clients and files, opens a shell, sets the upload and download speed, and suddenly restarts or shuts down your computer. It can also alleviate the restrictions of an account making it an administrator without the administrator's knowledge. Backdoor. conpee comes with a Kernel Mode Signing and Kernel Patch Protection that makes it also vulnerable to Malware.
Use a firewall to avoid backdoor virus' infection online. Keep your patch updated and make low privileges but make tasks of the user still doable. Also, disable Auto play to avoid automatic running of programs. With that, make restrictions on what sites you just want access to.
According to Symantec, their discovery of the Backdoor.Conpee Trojan virus was on March 6, 2012. Systems that were reported to be affected are Windows 2000, Windows 95, Windows 98, Windows Millennium, Windows NT, Windows Server 2003, Windows Server 2008, Windows XP, Windows Vista, and Windows 7. When a computer is infected and the Trojan is executed, it will create the following files:
Aside from the 3 files listed above, it will also create one of the following files:
After creating one of the files listed above, it will then modify one of the following files:
Additionally, in case the machine is running on a 64-bit operating system, the Trojan will create the file %Temp%VX[FOUR RANDOM NUMBERS].tmp. After that, it starts one of the following services:
Once the service is running, it will modify the following registry entries associated to the service:
Finally, the Trojan opens a back door that will allow an attacker to do the following actions: update the client, upload and download files, open a shell, configure the upload and download speeds, shutdown or restart the computer, or add new functionality by means of a plug-in.
