Using this backdoor, a malicious hacker can perform the following actions:
PayloadĪll variants of DDoS:Win32/Nitol allow unauthorized access and control of your PC by connecting to a remote server every 300 milliseconds to wait for commands. Earlier variants use the command line " cmd.exe /c del > nul", while later variants may rename themselves as " %TEMP% \ SOFTWARE.LOG" and set themselves to be deleted when you restart your PC. Some variants may delete themselves from their initial location. In subkey: HKLM\System\CurrentControlSet\Services\6to4\Parameters In subkey: HKLM\System\CurrentControlSet\Services\ \Parameters Some variants of DDoS:Win32/Nitol will instead pass the trojan as a DLL through the ServiceDll parameter, by modifying the following registry entry: Other variants use a completely random name for the service, for example: " National Instruments dDomain Service", for example " Nationalyta Instruments dDomain Service"." Microsoft Windows Uqdate Service", for example " Microsoft Windows Uqdatexla Service".The service's display name is also created from hardcoded strings with random characters insterted in or added to the string, as in the following examples: The service's name is usually created from a hardcoded string (such as " 111111111", " MSUpdqte" or " Nationald") with random characters inserted in or added to the string, as in the following examples: Where is the service name installed by the malware. In subkey: " HKLM\System\CurrentControlSet\Enum\Root\LEGACY_\0000"
#Lpk.dll xnviewmp driver
Some variants can install a service as a legacy driver with the following registry modification: The trojan creates the copy in one of the following folders: Variants of DDoS:Win32/Nitol can create copies of themselves as an EXE or DLL file, with a randomly generated file name of six characters, for example, " faxjwe.exe".
0 kommentar(er)
