Virus

W32/Thredsys.Backdoor

Analysis

  • Trojan is 32bit and variable size with variants ranging between 250Kb and 400Kb
  • Trojan may be posted into newsgroups suggested to be pictures of porn or other items which it is not
  • If Trojan is run, it may run memory resident and attempt to connect to an IP address located on the domain “teledisnet.be” however this could be altered between variants – the Trojan may attempt to open TCP port 6056 awaiting instructions from a hacker or group of hackers
  • Trojan may copy itself into the Windows\System folder as “threadsys0.exe” and modify the registry to run at Windows startup as in this example –
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    "threadsys0" = C:\WINNT\system\threadsys0.exe
  • Trojan may create a file “para.cfg” into the Windows\System folder which is a configuration file that identifies some information such as the port number and IP address to connect with