Backdoor.Botex

Backdoor.Botex is a back door server program that allows unauthorized remote access to a compromised system. It attempts to steals user information and system settings.

When the back door is installed, it copies itself to the following files:
%System%\<original file name>.exe
%Windows%\IsUninst.exe
%Windows%\IsUn0404.exe
%Windows%\IsUn0804.exe

It creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet = %System%\<original file name>.exe

It creates the following registry entry so that it executes whenever text files are opened:
HKEY_CLASSES_ROOT\txtfile\shell\open\command\(Default) = "%System%\<original file name>.exe" "%1"

It attempts to stop "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" service.

It overwrites C:\AUTOEXEC.BAT, with a file that attempts to stop "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" service. The file contains the following command:
net stop "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" >C:\BOOTEX.LOG

The back door opens port 2222/UDP and listens for connections from the remote attacker on random TCP ports.

The attacker can perform some of the following actions on the compromised host:
Steal password information
Download, upload and delete files
Log key strokes
Capture screenshots

Summary