Aliases: Backdoor.medbot, Troj/Medbot-N, TROJ_MEDBOT.CU, Medbot.AL Backdoor
Variants: Backdoor.Win32.Medbot.AL, Troj/Medbot-AL, Backdoor.Medbot.AL, BKDR_MEDBOT.AL, Win32/Medbot.AL

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 03 Dec 2006
Damage: Medium

Characteristics: The payload that is closely associated with the W32.Medbot.A is the opening of an unsecured backdoor component in the host computer system. This will allow the remote attacker unlimited access to the machine and transform it into a relay proxy for more malware. This threat may download more malicious codes from predetermined websites. It has been observed to make use of poorly protected network shares as its main transport mechanism for infection.

More details about W32.Medbot.A

When the W32.Medbot.A is executed into the compromised machine it will immediately scan for active security processes. It will proceed by attempting to illegally terminate all running processes that are associated with antivirus and firewall programs. The W32.Medbot.A will generate a new SVCHOST process that will carry its codes. This allows the malware to convert itself and be detected as a different application. The W32.Medbot.A will generate at least three different mutexes to mark an infected computer system. This routine is meant to ensure that only one instance of infection is running under the same machine at any given time. It will delete registry keys associated with antivirus programs and modify key values to help it bypass firewall protection to gain access to the Internet.

The W32.Medbot.A will use the TCP port 25 to check for any active Simple Mail Transfer Protocol connection. It will attempt to contact various Web based email hosts presumably to hijack the computer user's email account. The W32.Medbot.A will connect to a predetermined website to download a list of Web addresses which it will attempt to contact. These Web addresses store additional instructions that are associated with the spiked email message that will be sent by the W32.Medbot.A malware. The instructions are stored in CAB format files located in a temporary folder of the hard drive.