Backdoor.Pestic
Backdoor.Pestic is a computer Trojan that will allow a remote attacker to gain access on victims computer via the backdoor ports. Backdoor.Pestic will be able to hide its presence on the system by injecting itself to legitimate Windows process. Modifications will also be carried out to registry that will make itself to run automatically when Windows is started.
Technical Information:
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Manual Removal of Backdoor.Pestic:
1. Temporarily Disable System Restore (Windows Me/XP/Vista/7) . [how to]
2. Update the virus definitions.
3. Restart Windows in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
6. Exit registry editor and restart Windows.
Online Virus Scanner:
Another way to remove a virus without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found here or on websites of legitimate anti-virus and security provider.
Technical Details and Additional Information:
Other functionalities of this Trojan:
- Gathers system information
- Sends data to a remote computer
- Listen to port number of infected system
Malicious Files Added by Backdoor.Pestic:
C:\Documents and Settings\All Users\Application Data\Macromedia\swfupdate\Local.dtd
C:\Documents and Settings\All Users\Application Data\Macromedia\swfupdate\swfupdate.dll
C:\Documents and Settings\All Users\Application Data\Macromedia\swfupdate\Ui.dtd
C:\Documents and Settings\All Users\Application Data\Macromedia\swfupdate\UTemp.dtd
C:\Documents and Settings\All Users\Application Data\Macromedia\swfupdate\USTemp.dtd
C:\Documents and Settings\All Users\Application Data\Macromedia\swfupdate\H64DATA.dtd
C:\Documents and Settings\All Users\Application Data\Macromedia\swfupdate\S32DATA.dtd
Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\ShellServiceObjectDelayLoad\”SwUpdate” = “7B 00 30 00 30 00 33 00 35 00 34 00 31 00 41 00 31 00 2D 00 33 00 42 00 43 00 30 00 2D 00 31 00 42 00 31 00 43 00 2D 00 41 00 41 00 46 00 33 00 2D 00 30 00 34 00 30 00 31 00 31 00 34 00 30 00 30 00 31 00 43 00 30 00 31 00 7D 00″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shared Access\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\[ORIGINAL FILE NAME].exe: “[ORIGINAL FILE NAME].exe:*:Enabled:Application Layer Gateway Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shared Access\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe: “explorer.exe:*:Enabled:Microsoft Windows Explorer”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shared Access\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\WINDOWS\system32\lsass.exe: “C:\WINDOWS\system32\lsass.exe:*:Enabled:LSA Shell”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shared Access\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\[ORIGINAL FILE NAME].exe: “[ORIGINAL FILE NAME].exe:*:Enabled:Application Layer Gateway Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shared Access\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe: “explorer.exe:*:Enabled:Microsoft Windows Explorer”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shared Access\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\lsass.exe: “C:\WINDOWS\system32\lsass.exe:*:Enabled:LSA Shell”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{003541A1- 3BC0-1B1C-AAF3-040114001C01}