Home / All Blog News>Virus Alert: Backdoor.Nemog.C

Virus Alert: Backdoor.Nemog.C

Posted by        0 Comments
Virus Alert: Backdoor.Nemog.C

Backdoor.Nemog.C is a back door Trojan program that turns your infected computer into an e-mail forwarding tool. This Trojan also prevents users from accessing some security web sites.

Infectious infection:

Windows 2000, Windows 98, Windows Me, Windows NT, Windows XP

Detailed description

When executed, & nbsp; Backdoor.Nemog.C will perform the following actions:

  1. Generate the following files: & nbsp;

    % System% dx32cxlp.exe
    % System% dx32cxel.sys

  2. Generate the following registry keys so that the Trojan can automatically run when the system starts:

    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    dx32cxel
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
    LEGACY_DX32CXEL

  3. Hide service and Trojan files by hooking some APIs, and returning null when an API query is available. & Nbsp;

  4. Forward e-mails from remote hosts via a randomly chosen TCP port, and run the http proxy server on another random TCP port selection.

  5. Override the hosts file in the system directory:% System% DRIVERSETCHOSTS file

  6. Get commands from remote attackers through the back gate. These commands include:
    & nbsp;

    • Uninstall Trojan

    • Upgrade the Trojan

    • Download file

  7. Prevent users from accessing the following security websites by writing to the hosts file in the system directory:% System% DRIVERSETCHOSTS with the following text:
    & nbsp;

127.0.0.1 www.avp.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.symantec.com
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.networkassociates.com
127.0.0.1 us.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 avp.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 update.symantec.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 kaspersky.com
127.0.0.1 www.trendmicro.com
& nbsp;

Following are some recommendations and removal instructions for Trojan Backdoor.Nemog.C of Symantec Security:

Recommendations:

  • Turn off and remove unnecessary services on the system. By default, many operating systems install unneeded services, such as FTP servers, telnet, and Web servers. These services have long exposed many of the weaknesses that hackers use to attack computers.

  • Keep up to date with the latest patches, especially for computers that contain multiple public services and are accessible through firewalls, such as HTTP, FTP, mail, and DNS.

  • Tighten the password policy. Using complex passwords will make it difficult for programs to crack passwords on your computer. Doing this will also reduce the damage when the computer is compromised. & Nbsp;

  • Configure e-mail servers to block or remove e-mail attachments that are often exploited by viruses to spread: .vbs, .bat, .exe, .pif, and .scr.

  • Isolate the infected computer to prevent the spread of the virus in your organization. Carry out system audit and data backup.

  • Notify employees not to open attachments by e-mail unless they are of a safe and verifiable origin. Also, do not execute software downloaded from the Internet unless it has been tested by antivirus software. Browsers are no longer safe and sometimes just a normal web-browsing operation will also cause your computer to become infected.

Trojan removal guide (Symantec)

  1. Disable System Restore (Windows Me / XP).

  2. Download the latest update for antivirus software

  3. Boot the computer in Safe Mode or VGA Mode

  4. Run the antivirus software in Full System (full system scan) and fix the file Backdoor.Nemog.C.

  5. Removed Trojan-related values ​​added to regisrty.

  6. Deletes the text that the Trojan inserts into the Windows hosts file.