1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Backoff Activity 2

System Infected: Trojan.Backoff Activity 2

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Backoff activity on compromised systems.

Additional Information

When the Trojan is executed, it creates the following files:
%AppData%\OracleJava\javaw.exe
%AppData%\nsskrnl
%AppData%\Local.dat
%AppData%\OracleJava\Log.txt

The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Windows NT Service" = "%AppData%\OracleJava\javaw.exe"

The Trojan creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"identifier" = "[7 RANDOM CHARACTERS]"

The Trojan accepts the following commands:
Update: update Trojan
Terminate: kill thread and process
Uninstall: uninstall Trojan
Download and Run: download then execute file
Upload KeyLogs: upload log file

The Trojan steals the following information from a compromised computer:
Computer name
User name
Windows version
Track data (data stored on payment card magnetic strips)

The Trojan logs keystrokes to the following file:
%AppData%\OracleJava\Log.txt

The Trojan creates an encrypted copy of itself in the following file:
%AppData%\nsskrnl

The Trojan saves stolen track data to the following file:
%AppData%\Local.dat

The Trojan may connect to the following remote locations:
[http://]msframeworkx64.com/windows/updche[REMOVED]
[http://]msframeworkx86.com/windows/updche[REMOVED]
[http://]msframeworkx86.ru/windows/updche[REMOVED]

The Trojan may inject itself into processes to look for POS data or to make sure the Trojan is constantly running.

Affected

  • Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube