Backdoor.Penrox

Backdoor.Penrox is a Backdoor Trojan that allows unauthorized access to a compromised computer.



Why this Trojan needs to determine its own file name
When the Trojan is executed and the process is running in memory, it does not know the file name from which it was launched.

Many backdoor Trojans copy themselves to the %System% folder with a fixed file name (for example, Backdoor.Quimera). Backdoor.Penrox does not use a copy of the original file, but instead uses the original file. This original file could be any file name, and the Trojan is not coded to be aware of this file name. (For example, the hacker could make three identical copies of this Trojan, naming them CoolGame.exe, ScreenSaver.exe and NewBrowser.exe. Next, the hacker emails these files to three victims. When they are run on those targeted computers, the value is added to the registry \Run key using these file names with the proper path to where the victim has saved the attachment, which could be different for each user.)

The backdoor process makes a call to GetModuleFileName to acquire a pointer to the file.This pointer points to a string containing the full path to the file (including the file name).