Aliases: Backdoor:Win32/Mdmbot.A, W32/Buzus.GT, Backdoor.Win32.IRCBot.bpb
Variants: Win-Trojan/Buzus.53248.8, Trojan.Win32.Buzus.amj

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 14 Feb 2008
Damage: Medium

Characteristics: The W32.Mdmbot is a type of Worm malware that exhibits certain Trojan Horse functionalities. When executed in a vulnerable computer system this malware has the capability of using poorly protected network shares as its transport mechanism to spread its codes to other network clients. It creates an unsecured backdoor in the compromised machine which can be used by the remote attacker to steal confidential data or take control of the functionalities of the hijacked machine.

More details about W32.Mdmbot

This Worm normally gains entry into a vulnerable machine when an unsuspecting computer user visits a malicious website. In majority of the incidences of infection associated with the W32.Mdmbot, it was downloaded into the infected computer system via a blind link from a website that is presumed to be controlled by its malicious author. After successfully downloading its trigger file into the host machine it will launch and create a copy of itself in the directory folder of the operating system. The W32.Mdmbot will attempt to replace the executable file of the Machine Debug Manager process of the operating system to gain control over the application debugging functionality of the host machine. The W32.Mdmbot will be able to debug errors associated with the Web browser.

The W32.Mdmbot will generate a corresponding Windows Registry key value entry that will allow it to load automatically at every restart or boot up process of the host computer system. The key value created by the malware will point to the exact location of its executable file in the hard drive. The W32.Mdmbot will modify the default homepage of the Web browser from the Windows Registry by changing the value of its key. The W32.Mdmbot will proceed to open a communication port that will give its remote attacker unobstructed control over the system and steal confidential data.