1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Backdoor.Samkams Activity 2

System Infected: Backdoor.Samkams Activity 2

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Backdoor.Samkams activity on the compromised computer.

Additional Information

When Backdoor.Samkams is executed, it performs the following actions:

Creates following mutexes so that only one copy of the Trojan is run on the compromised computer:

CMD
MAIN

Injects its processes into explorer.exe to hide its presence on the compromised computer.

Drops the following files:

%System%\dllcnfg.exe
%System%\dmgrd.exe
Attempts to send the following information to a remote server by connecting to [http://]www.scratchindian.com/[REMOVED]/cgi-bin/Owpq4.cgi:

Operating system version
Computer name
MAC address

Opens a back door by connecting to [http://]www.scratchindian.com/[REMOVED] and allows a remote attacker to perform unauthorized actions on the compromised computer.

Affected

  • Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube