The infectious BackDoor.Saker.1 is the spreading malware that intercepts input data from the keyboard and is capable of bypassing the Windows User Account Control (UAC). The Russian anti-virus company Dr.Web has warned the users about BackDoor.Saker.1 whose main function is – to execute directives coming from hackers and infiltrators and to intercept keys pressed by the user.
Bringing the system to an infected state, the Trojan launches the file temp.exe so as to bypass the User Account Control. Bypassing is achieved by .exe file that extracts a library and adds it code into the process explorer.exe after which the library is saved into a system folder. Thereafter now when system utility Sysprep is started, the library simultaneously launches a malicious application called as ps.exe.
Doctor Web anti-virus detects this as Trojan.MulDrop4.61259. In turn, this file saves another library to a different folder. The library file is registered in the Windows Registry as a service with the name “Net Security Service” and the following description: “keep watch on system security and configuration. If this service is stopped, protected content might not be down loaded to the device”. This library contains the main backdoor payload.
As the system is now fully infected, the Trojan, BackDoor.Saker.1, now starts gathering information about the system and details like the Windows version, CPU frequency, available RAM, computer name, user login and the hard disk serial number is transmitted to the intruders. Next, the Trojan now creates a file in the system folder into which user keystrokes are logged.
Now with all preparations done, Backdoor.Saker.1 awaits a response from a remote server, which may involve commanding the backdoor to reboot, shut down, remove itself, start a separate thread to execute commands via a shell, or to run its own file manager which can upload files from an infected machine, download files via the network, create and delete folders, and move and run files.
At its website, Dr.Web mentions, that the threat’s signature is already added to its virus database, thus computers with Doctor Web anti-viruses are protected from BackDoor.Saker.1.