Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

WebMic.A

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

WebMic.A carries out the following actions:

  • It opens several ports and remains listening on them.
  • It attempts to connect to the server fakin<blocked>no-ip.org through port number 1338, in order to receive control commands that allow audio and video to be recorded through the audio device of the affected computer and the webcam if installed on the system.
  • It prevents a certain antivirus form being updated.

Infection strategy 

WebMic.A creates the file WINLOGON_WIN32.EXE in the Windows directory. This file is a copy of the backdoor.

 

WebMic.A modifies the HOSTS file, so that a certain antivirus cannot be updated, as the corresponding web sites are redirected to the local IP address 127.0.0.1.

 

WebMic.A creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Windows XP Manager = %windir%\winlogon_win32.exe
    where %windir% is the Windows directory.
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunOnce
    Windows XP Manager = %windir%\winlogon_win32.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunOnceEx
    Windows XP Manager = %windir%\winlogon_win32.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RUNSERVICES
    Windows XP Manager = %windir%\winlogon_win32.exe
    By creating these entries, WebMic.A ensures that it is run whenever Windows is started.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ UserAssist\ {75048700-EF1F-11D0-9888-006097DEACF9}\ Count
    HRZR_EHACNGU:P:\JVAQBJF\jvaybtba_jva32.rkr = 0D, 00, 00, 00, 06, 00, 00, 00, D0, A3, 2B, BB, A4, E7, C6, 01

Means of transmission 

WebMic.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

WebMic.A is written in the programming language Visual Basic. This backdoor is 1,555,7727 bytes in size and it is compressed with Xtreme-Protector.