Backdoor.Formador is a back door server program that allows a remote attacker to perform various actions on a compromised computer. The Trojan can be received as any file name that the attacker chooses. When it is executed, it creates a copy of itself in the Windows System directory using the file name it was received as.
It then creates the following registry entry so that it is launched every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[TROJAN FILE NAME] = "%System%\[TROJAN FILE NAME] .exe"
The back door then makes a request to a predefined HTTP server to request a list of commands. The back door allows the remote attacker to perform some of the following actions:
- Reconfigure the back door
- Send system information using an HTTP POST request
- Modify the registry
- Delete files
- Download and execute arbitrary code