Hanove Backdoor Trojan (Oct 27, 2011)


SonicWALL UTM Research team discovered a new backdoor Trojan in the wild. This backdoor Trojan called Hanove opens a backdoor on the infected system allowing the attacker to send further commands to the compromised system. The Trojan was also observed to be capturing and uploading screenshots of the user’s desktop to a remote server at regular intervals.

It performs the following activities:

  • It ensures persistence of infection across reboots by creating the following startup script
      All UsersStart MenuProgramsStartupsyncdata.vbs

  • It captures screenshots of the user’s desktop at five second intervals and stores it to the following location
      Documents and Settings{user}Desktopshot.bmp

  • It renames the captured screenshot using the current timestamp with the following file format

  • It decrypts obfuscated strings in memory to construct the remote URL it contacts. The decryption routine simply decrements the value of each character by one to get the decrypted string.

  • It uploads captured screenshot to a remote URL using the custom user agent string “MBVDFRESCT”

  • It receives the following response if the upload is successful

  • The remote server it connects to is hosted in Pennsylvania, United States and is active at the time of writing this alert

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Hanove.A (Trojan)
  • GAV: Hanove.A_2 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.