1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Backdoor.Fexel Activity 6

System Infected: Backdoor.Fexel Activity 6

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This siganture detects traffic generated by Backdoor.Fexel

Additional Information

When the Trojan is executed, it may drop the following file:
%UserProfile%\Aplication Data\[8 HEXADECIMAL DIGITS].dll

The Trojan then creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[8 HEXADECIMAL DIGITS]" = "rundll32.exe \%SystemDrive%\Documents and Settings\All Users\[8_hex_digits].dll\"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[8 HEXADECIMAL DIGITS]" = "rundll32.exe "%SystemDrive%\Documents and Settings\All Users\Application Data\[8 HEXADECIMAL DIGITS].dll",Launch"

Next, the Trojan gathers the following information from the compromised computer:
Volume information
Operating system version
User name
Disk space

The Trojan then encodes the stolen information and sends it to the following remote location:
103.17.117.90

The Trojan then opens a back door on the compromised computer, allowing an attacker to perform malicious activities on the compromised computer.

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube