Backdoor.Throd.a

Aliases

Backdoor.Throd.a (Kaspersky Lab) is also known as: BackDoor-CEV (McAfee),   Backdoor.Sysdot (Symantec),   BackDoor.Throda (Doctor Web),   Troj/BDThr-A (Sophos),   Backdoor:Win32/Throd.A (RAV),   BDS/Throd.A.2.B (H+BEDV),   Win32:BMP-SYS (ALWIL),   BackDoor.Throd.A (Grisoft),   Backdoor.Throd.A (SOFTWIN),   Bck/Throd.A (Panda),   Win32/Throd.A (Eset)

Description added	May 13 2004
Behavior	Backdoor

Technical details

Throd is a Trojan that allows a 'master' to use the zombie machine as a proxy server. Throd is written in Delphi for Windows, is about 23 KB in size (about 80 KB unpacked)and comes packed by UPX.

Installation

The Trojan copies itself in the Windows system folder under a randomly combined multi-partite name:

ms
svc
win

16
32
64

mes
prn
reg

"ms16prn.exe", for example.
In order to auto-launch, the Trojan creates a key in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

with one of the following names chosen at random:

MS Driver Management
Synchronization Messager
System Directory Service
System Service Control
Windows Messaging System

Throd then attempts to connect to several remote servers and onpass ID information, including IP address and so forth, to the virus coder.
Throd accepts commands from the remote 'master' collets email addresses from the MS Outlook address book in to the mseml.dll file and uses an http commands to send them to the same remote sites.
Throd can install and launch random files on command.
Throd also works as a proxy server and is capable of accepting and sending any type of data.