Backdoor.Pihar is a Trojan that may infect master boot record (MBR) of the target computer. Symantec and other anti-virus applications may detect the compromised MBR as Boot.Pihar. To allow remote unauthorized access, Backdoor.Pihar will open a backdoor and accepts commands from an attacker.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista, Windows 7
When running inside the computer, Backdoor.Pihar creates a couple of random files using random hexadecimal characters. It also modifies various registry entries to lessen Internet browser’s security settings.
To run itself on Windows start-up, Backdoor.Pihar will add a registry entry that calls the Trojan during boot-up. Additionally, it will inject malicious code to master boot record (MBR) to achieve similar objective. The infected master boot record can be identified as Boot.Pihar.
Lastly, this Trojan will communicate to predefined web site address and accept remote commands through backdoor. It may contact any of the following web sites.
The Trojan may arrive on a computer in a number of schemes and that may include the following:
- Integrate a comment containing malicious links to unmanaged web sites and forums. The link aims to point user to a web site hosting the Trojan.
- It sends anonymous messages or postings to social networking sites. Again, the post includes a link to send user to a compromised web address.
- Malicious code is planted on pages of legitimate web sites that unexpectedly download the Trojan to visitor’s computer. This technique uses an SQL injection to attack any sites with known security vulnerability.
- Lastly, attackers behind Backdoor.Pihar use an unsecured file-sharing network to spread a copy of itself that are usually embedded on shareware applications. Downloading and executing the free program silently installs the Trojan without user’s notice.