|VIRUS NAME: BackDoor-ABH
This Remote Access Trojan masquerades as a downloader for an email client application. When executed on the victim machine, the Trojan attempts to connect to an FTP server. The Trojan contains the string:
'Would you like to download Bmail.. Bmail is a talking Email software that works with POP and other email accounts. Its works with Yahoo also. More will be added soon..'
In addition to opening this FTP connection, the worm opens an additional port on the victim machine, enabling remote access to the machine.
The Trojan sets the following Registry key in an attempt to run itself at system startup:
Run "SetFTPBack" = C:\WINDOWS\SYSTEM\createsw.exe
However, in testing the Trojan did not successfully copy itself to CREATESW.EXE in the System directory.
Existence of the Registry hook detailed above
Port 5135 open on victim machine
Method Of Infection
The Trojan is designed to install itself on the victim machine upon execution.