Troj/Bdoor-IC is a backdoor Trojan on the Windows platform.
When run the Trojan drops 2 files:
1111swapmgr.exe - main backdoor Trojan component
1111tapidef.dll - DLL helper Trojan component
into the Windows System folder and runs the main backdoor component in the background as a service process.
These 2 files are also being detected by Sophos as Troj/Bdoor-IC.
When the main backdoor Trojan component is run, the Trojan sets either of the two following registry entries so as to run itself on user logon:
changes the following default Windows registry entry:
from:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe
to:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe %SYSTEM%\1111swapmgr.exe
creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
1111swapmgr.exe
%SYSTEM%\1111swapmgr.exe
Once installed, Troj/Bdoor-IC creates a backdoor component and sets up a listening server on a random TCP port awaiting instructions from a remote attacker. The main backdoor Trojan component then uses the DLL helper component to hook itself into the Windows Internet Explorer process to stealth itself.
Troj/Bdoor-IC may then attempt to perform any of the following actions when instructed to do so by a remote intruder:
download files from the internet and run them
change the Internet Explorer Start Page by changing the following registry entry:
HKCU\Software\Microsoft\Internet Explorer\Main
Start Page
allow the infected machine to act as a HTTP proxy server, redirecting internet traffic
engage in distributed denial of service (DDoS) attacks
transfer files over the internet via HTTP and FTP
The Trojan also terminates the process associated with tcpsvc.exe and deletes the file tcpsvc.exe.
Troj/Bdoor-IC may also set the following registry entries:
HKLM\Software\Microsoft
SystemID
HKLM\Software\Microsoft
SystemType