1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Backdoor.Vinself Activity

System Infected: Backdoor.Vinself Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature will detect network activity of Backdoor.Vinself.

Additional Information

When the Trojan is executed, it creates the following file:
%SystemDrive%\recycler\tabcteng.dll

The Trojan modifies the following registry entries, so that the threat can hijack the Network Connections (Netman) service:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netman\Parameters\"ServiceDll" = "expand:"c:\recycler\tabcteng.dll""
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netman\"Start" = "2"



The Trojan then attempts to stop and restart the Netman service so that the tabcteng.dll file will be loaded by the service. It will also ensure that the IP Network Address Translator (ipnat) service is running and injects itself into the Internet Explorer service.

The Trojan also contains rootkit functionality.

The threat then opens a back door and attempts to connect to one of the following command and control servers:

[http://]www.european.proxydns.com
[http://]www.european.portrelay.com
[http://]jan.winself.com
[http://]photographer.myphotos.cc



The Trojan may attempt to gather the following information:

Windows version and user account information.
CPU, Hard drive, and NETBIOS information.
Installed network adapters and network configuration settings.
Installed applications, Internet Explorer version, and installed browser-helper object information.



The Trojan stores the gathered information in the following files:

%Temp%\mst[RANDOM DIGIT].tmp
%Temp%\tmp[RANDOM DIGIT].tmp



The back door allows an attacker to perform the following actions:

Monitor keystrokes in programs specified by the attacker.
Take screenshots of programs specified by the attacker.
Download and execute files.
Shut down the computer.
End a process.
Create a process under a specified user context.
Create and delete registry keys and values.
Create, delete, move, copy, and rename files.
Stop, start, remove, and list all services.

Affected

  • Microsoft Windows XP
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube