Backdoor.win32.Servhelper

General Explanation

Type: Trojan

Degree of destruction: high

Prevalence: average

What is a Trojan?

Trojans are types of malware that reveal themselves as legal and healthy software and act most like useful and applicable software but create more destruction for the system when they are executing. Downloaded software from the internet, placing in the HTML text, attaching to an email, etc. are ways for Trojans to enter. Trojans, contrary to computer viruses and worms, are not capable of reproducing.

What is Servhelper malware?

This malware family existed in 2 versions of Dropper and Backdoor. The Backdoor version proceeds to send information and receive instructions by connecting to specific servers. In the Dropper version, it proceeds to create the malware. One of the other goals of this malware is to steal stored information from the user’s browser.

Technical Explanation

Some types of malware inject their malicious code into the systemic process msra.exe which is the desktop remote systemic process. The other type of this family Drops the FlawedGrace malware. Some types also placed the helpobj.bat in the system and execute it using rundll32.exe. The distribution method is to attach infected files to the email as a word file containing infected macro will connect to malicious URLs and downloads the infected files or a PDF file containing a seemingly valid link to update the latest version of adobe reader software, while this malicious link causes to download the malware.

In the observed samples by the Padvish malware analysis laboratory, a PDF file containing a seemingly valid link for updating Adobe Reader software to the latest version has been found.

The mentioned link address:

  • http://www.adobe.com/products/acrobat/readstep2.html

But this is only the appearance of the link and the real address of this link is the following URL:

  • https://adobeupdt.net/En-US/reader/download/?installer=Reader_DC_2019.009.20088_English_Windows

which is a malicious link.

Signs of infection

Different versions of this malware have different signs

  1. In some versions, the following signs are obvious:
    • %USER%\appdata\local\temp\NtWrite.dat
    • %USER%\appdata\local\temp\tmp31.tmp
    • msra.exe is running (systemic process and standard remote desktop) and its attempts to connect with the following addresses:
    • Checksolutions[.]pw:443
    • Afgdhjkrm[.]pw:443
    • pointsoft[.]pw:443
    • dedoshop[.]pw:443
  2. In some versions the following signs are obvious:
    • Creating a service to trust that will place its file with the name of winreset in the following address: %PROGRAMFILES%\(x86)\Common Files\System\winreset.exe
    • Two running processes of the winreset.exe service.
    • Attempt to connect with the following IP: 46.161.27.241
  3. In some versions, the following signs are obvious:
    • existence of helpobj.dat, zxa.bat, sdw. vbs, 1.Ink file in the following path: %USER%\appdata\local\temp</
    • Two running processes of rundll32.exe that executing helpobj.dat and attempt to connect with the following addresses:
      Checksolutions[.]pw:443
      Afgdhjkrm[.]pw:443
      pointsoft[.]pw:443
      dedoshop[.]pw:443<

How to deal with it and disinfect the system

Padvish Antivirus detects and disinfects this malware. To prevent entering these types of malware into your system it is recommended to avoid clicking on suspicious links and scan attached links before execution. Also, keep your OS and antivirus up to date, if possible.

  0 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>