Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

BackDoor.CmdUdp.1

Added to the Dr.Web virus database: 2019-08-20

Virus description added:

Packer: absent

Compilation date: 08:12:31 27.12.2018

SHA1 hash:

  • 314b259739f4660e89221fa2e8990139a84611a9 (CMD_UDP_DLL.dll)

Description

It is a backdoor for Microsoft Windows operating systems. It allows attackers to remotely control infected computers by implementing remote shell functions — launching cmd.exe and redirecting the I/O to the attacker's C&C server. The trojan is written in C++; the pdb file with debugging information when compiled on the attacker's computer was located at C:\VS2010\CMD_UDP_Server\Release\CMD_UDP_DLL.pdb.

Operating routine

BackDoor.CmdUdp.1 has the following exported functions:

??0CCMD_UDP_DLL@@QAE@XZ
??4CCMD_UDP_DLL@@QAEAAV0@ABV0@@Z
?fnCMD_UDP_DLL@@YAHXZ
?nCMD_UDP_DLL@@3HA
LoadProc
ServiceMain

Once on the target computer, the backdoor can work with or without being installed on the system. In the first case, the ServiceMain function is exported; in the second case, the LoadProc function is exported. To provide its autorun, the backdoor is installed on the system as a service. Every 3 minutes BackDoor.CmdUdp.1 sends the message hello to the C&C server tv.teldcomtv.com:8080 and waits for further commands.

Communication with the server is performed over the UDP Protocol. In response the server can send one of several control words to the trojan:
hello;
world;
exit.

The «hello» command

When this command is received, the backdoor starts the cmd.exe process. In this case, the input and output of the command-line interpreter are redirected to 2 anonymous pipes. If the process is created successfully, the cmd OK message is sent to the server. In addition, a thread is started in which the trojan will send data from the stdout/stderr of the cmd.exe process to the server. If the backdoor fails to run cmd.exe, it notifies the server by sending cmd err.

The «world» command

This command stops the cmd.exe main running thread for 1 second.

The «exit» command

This command terminates the previously created cmd.exe process. If the server response does not contain any of the three specified commands, its contents are sent to cmd.exe for execution.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android