W32/Thredsys.Backdoor
Analysis
- Trojan is 32bit and variable size with variants
ranging between 250Kb and 400Kb
- Trojan may be posted into newsgroups suggested
to be pictures of porn or other items which it is
not
- If Trojan is run, it may run memory resident and
attempt to connect to an IP address located on the
domain “teledisnet.be” however this could
be altered between variants – the Trojan may
attempt to open TCP port 6056 awaiting instructions
from a hacker or group of hackers
- Trojan may copy itself into the Windows\System
folder as “threadsys0.exe” and modify
the registry to run at Windows startup as in this
example –
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"threadsys0" = C:\WINNT\system\threadsys0.exe
- Trojan may create a file “para.cfg”
into the Windows\System folder which is a configuration
file that identifies some information such as the
port number and IP address to connect with