More-and-more Backdoor.LV Samples Uncovered, Reports FireEye

A report that FireEye the U.S-located network security company has just released states that Backdoor.LV a new malicious program, which operating through port 80, utilizes custom protocol for sending and receiving messages from its central C&C (Command and Control) server, is constantly proliferating ever-since May this year (2012).

The company also notes that Backdoor.LV finds out the NetBIOS name, locale, end-user, date as also the Windows OS type of its host machine followed with informing all those details to its central C&C server. Alongside, it as well relays its existing version form to the same command and control.

Incidentally, the researchers at FireEye intercepted a stream viz. Transmission Control Protocol (TCP) that links the malware to its command and control, and which helps in figuring out Backdoor.LV's activity. Moreover, FireEye outlines 3 more fields, one, which is certain 'no' string, and the rest scripted within base64.

Furthermore, as the researchers cracked the scripting of one base64 parameter they obtained certain Arabic-lettered string, which in English means "mining the personal." Subsequently they found the other parameter of base64 as informing about a contaminated PC's window to the command and control server. Finally, the string called 'no' had an interesting function within Backdoor.LV, the researchers uncovered.

Curiously, FireEye says that nearly every one of the samples seen was coded with .Net. Further, examining the code for the string known as 'no' in detail, revealed the type of the latter, while reversing it revealed certain function namely inf() that helped craft the message for the remote server. And in case of a web-cam fitted on the hijacked computer, the malware transmitted a "Yes" else "No" to the server, the researchers emphasize.

Finally, though the Backdoor.LV gathers vital data related to the end-user as also his computer, which has been compromised, yet it astonishingly creates one dialog box after it is executed which directs the end-user for activating one give executable known as "Trojan.exe." Finding such a filename that's obviously malicious, one can but conjecture if this malicious program got created for people not speaking the English language, finishes off the security company FireEye.

Related article: More Of Sophisticated Spam This Year

» SPAMfighter News - 9/13/2012