Backdoor/Autoupder

 Virus Information - Backdoor/Autoupder:

Backdoor/Autoupder is a backdoor. This backdoor disguises itself as Coolstuff.cab. This CAB file contains Coolstuff.OCX and Coolstuff.inf files. When the Coolstuff.OCX file is installed on the computer, it checks for existence of some well known firewall softwares.

Blackice.exe (Black Ice Defender)
Blackd.exe (Black Ice Defender)
Espwatch.exe (Esafe Protect Watch)
Lookout.exe (ISS Network Sniffer application)
Mpftray.exe (McAfee Personal Firewall)
Nisum.exe (Norton Internet Security)
Nmain.exe (Norton Internet Security)
Persfw.exe (Tiny Personal Firewall)
Smc.exe (Sygate Personal Firewall)
Serv95.exe (Esafe Eliashim)
Zonealarm.exe (ZoneAlarm Firewall)

In presence of firewall software, Backdoor/Autoupder ceases to function. In absence of firewall software, it tries to connect to a malicious website. After this it downloads some of the following files Ausvc.exe, Bvt.exe, Mnsvc.exe, Absr.exe under Windows folder. These 4 files are the primary components of the Backdoor/Autoupder. Execution of Ausvc.exe would drop Auupg.exe, Msvcp60.dll files into Windows folder and undo.bat into Temp folder. Mnsvc.exe connects to the pre-defined malicious website and downloads any new update of the Backdoor/Autoupder.

The backdoor makes changes to registry to load itself during next startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run