1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Backdoor.Sinflight Activity 2

System Infected: Backdoor.Sinflight Activity 2

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects traffic generated by Backdoor.Sinflight.

Additional Information

When the Trojan is executed, it may create the following files:
%CurrentFolder%\ntusr.ini
%CurrentFolder%\ntusrheart1.ini
%CurrentFolder%\hntusr2.ini
%CurrentFolder%\ntu.ini

The Trojan creates the following mutex so that only one instance of the threat executes on the computer:
MYSERV[NUMBER]

Note: A possible mutex would be MYSERV354, for instance.

The Trojan steals operating system and network adapter information from the compromised computer.

The Trojan then opens a back door on the compromised computer and connects to the following domain:
[http://]salam-sha.overblog.com

The Trojan may then perform malicious activities on the compromised computer.

Affected

  • various Windows versions
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube