W32/Belmoo.A
Threat risk
|
Detection files published:
|
Description created:
2010-10-26 |
Description updated:
2010-10-26 |
|
Alias:
|
Spreading mechanism
| |
|
Payload:
| ||
Summary
Belmoo is a Windows executable, 48640 bytes long. It is written in C, and is not compressed or encrypted in any way. The executable is apparently created Sun Oct 24 16:26:29 2010.
Installation
Upon execution it will copy itself to the <%WINDOWS%> \temp folder and create registry keys so that it is started from bootup:
* Creates file [WINDIR]\temp\symantec.exe.
* Creates value "Microsoft Windows Update"="[WINDIR]\temp\symantec.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "Microsoft Windows Update"="[WINDIR]\temp\symantec.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
Note that it uses the command line option REG in order to do the registry modification; it does not manipulate registry directly from the program.
Functionality
The malware will attempt to resolve two internet addresses:
nobel.usagov.mooo.com
update.microsoft.com
Apparently the first of these addresses is not used for anything in particular. The last one is used for a single connect on TCP port 80 (HTTP). The result of this connect is not checked.
After this it will attempt to connect to two other internet addresses alternately
l-3com.dyndns-work.com
l-3com.dyndns.tv
If none of these addresses resolve, the malware will exit.
If the first address resolves, the malware will attempt to connect to it on port 443/tcp. If this connect fails, the malware will instead attempt to connect to the second address on port 80/tcp, presumably to avoid firewalls. If either of the connects succeed, the malware attaches a command shell to the opened socket, giving an attacker access on the local computer with the same rights as the logged on user.
After the shell has been closed, the malware will wait a semi-random amount of time before retrying; minimum one minute.
Analysis by Snorre Fagerland
Removal
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Usage | Title | Comment |
|---|---|---|
| Stopping network share infectors | ||
| Cleaning of back-up folders on Windows Me and XP |
