1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Backdoor.Jabeefit Activity

System Infected: Backdoor.Jabeefit Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Backdoor.Jabeefit activity on infected machine.

Additional Information

When the Trojan is executed, it copies itself to the following locations:
%UserProfile%\Application Data\BIFIT_A\agent.exe

The Trojan then drops the following files:

%UserProfile%\Application Data\BIFIT_A\bifit_a.cfg
%UserProfile%\Application Data\BIFIT_A\bifit_agent.jar
%UserProfile%\Application Data\BIFIT_A\javassist.jar


Next, the Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"bifit_agent" = "%UserProfile%\Application Data\BIFIT_A\agent.exe"

The Trojan then opens a back door on the compromised computer, and connects to the following domain:
http :// 5.135.188.15/site1/client.php

Affected

  • All windows platforms
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube