Know Your Malware: Bebshell


Bebshell is a Trojan horse with back door capabilities that may arrive as a Windows Meta File that exploits the Microsoft Windows Graphics Rendering Engine WMF SetAbortProc Code Execution Vulnerability (as described in the Microsoft Security Bulletin MS06-001).

Technical Details

Once Backdoor.Bebshell is executed, it performs the following actions:

1. Creates and executes the following file:

C:\comand.com

2. Creates the following files:

* %System%\webshell.dll
* %System%\winlog.dll
* %System%\windata.dat

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). Symantec Security Response - Backdoor.Bebshell

Linked by shanmuga Wednesday, 1st March 2006 6:25AM