Home Malware Programs Backdoors Backdoor.Winnti.B

Backdoor.Winnti.B

Posted: September 7, 2012

Threat Metric

Threat Level: 2/10
Infected PCs: 44
First Seen: September 7, 2012
OS(es) Affected: Windows

Backdoor.Winnti.B is a backdoor Trojan that opens a back door on the infected computer. Once executed, Backdoor.Winnti.B creates several potentially malicious files. Backdoor.Winnti.B also modifies the Windows Registry by creating the certain registry entries. Backdoor.Winnti.B sets a handler routine using SetConsoleCtrlHandler that downloads the infection in the file system so that it runs automatically every time Windows is started. Backdoor.Winnti.B contacts a command-and-control server, enabling a remote attacker to execute numerous malicious actions, such as stealing personal information.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%CurrentFolder%\[RANDOM CHARACTERS].dll File name: %CurrentFolder%\[RANDOM CHARACTERS].dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
%System%\[RANDOM CHARACTERS].dll File name: %System%\[RANDOM CHARACTERS].dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"LoadAppInit_DLLs" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"RequireSignedAppInit_DLLs" = "0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = "[RANDOM CHARACTERS].dll"
Loading...