Threat behavior
Backdoor:Win32/Cycbot.B is a backdoor trojan that allows attackers unauthorized access and control of an affected computer. After a computer is infected, the trojan connects to a specific remote server to receive commands from attackers. The commands may include instructing the trojan to update itself, visit web links, or download and execute arbitrary files.
Installation
When executed, Backdoor:Win32/Cycbot.B copies itself to c:\documents and settings\administrator\application data\microsoft\svchost.exe.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
or subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "svchost"
With data: "c:\documents and settings\administrator\application data\microsoft\svchost.exe"
The malware creates the following files on an affected computer:
-
c:\documents and settings\administrator\application data\microsoft\stor.cfg
-
c:\documents and settings\administrator\application data\microsoft\windows\shell.exe
-
c:\documents and settings\administrator\local settings\temp\dwm.exe
These files store configuration and logging information for the malware.
Payload
Allows backdoor access and control
Backdoor:Win32/Cycbot.B allows unauthorized access and control of an affected computer. It does so by connecting to one of a number of web servers, which may respond with commands for it to execute. It may also send status information to these servers.
Examples of servers used by the malware include the following:
protectyourpc-11.com
qudeteyuj.cn
178.63.123.226
dolbyaudiodevice.com
zoneck.com
136136.com
motherboardstest.com
zonejm.com
freeonlinedatingtips.net
blenderartists.org
pcdocpro.com
historykillerpro.com
sharewareconnection.com
xy95.cn
8minutedating.com
securemywebconnection.com
mywwwarchive.com
testpcdriversonline.com
biggamemonitoring.com
bigkeystore.com
internetsecure.com
An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Cycbot.B. This could include, but is not limited to, the following actions:
-
Download and execute arbitrary files
-
Update itself
-
Stop running
-
Visit web links, possibly to collect money from pay-per-click advertising.
-
Modify system settings
-
Run or terminate applications
-
Delete files
Downloads and installs additional malware
Backdoor:Win32/Cycbot.B has been observed to download and execute fake security software, such as Rogue:Win32/FakePAV.
Analysis by David Wood
Prevention