Hanove Backdoor Trojan

November 8, 2011

SonicWALL UTM Research team discovered a new backdoor Trojan in the wild. This backdoor Trojan called Hanove opens a backdoor on the infected system allowing the attacker to send further commands to the compromised system. The Trojan was also observed to be capturing and uploading screenshots of the user's desktop to a remote server at regular intervals.

It performs the following activities:

  • It ensures persistence of infection across reboots by creating the following startup script
      All UsersStart MenuProgramsStartupsyncdata.vbs

  • It captures screenshots of the user's desktop at five second intervals and stores it to the following location
      Documents and Settings{user}Desktopshot.bmp

  • It renames the captured screenshot using the current timestamp with the following file format

  • It decrypts obfuscated strings in memory to construct the remote URL it contacts. The decryption routine simply decrements the value of each character by one to get the decrypted string.

  • It uploads captured screenshot to a remote URL using the custom user agent string "MBVDFRESCT"

  • It receives the following response if the upload is successful

  • The remote server it connects to is hosted in Pennsylvania, United States and is active at the time of writing this alert

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Hanove.A (Trojan)
  • GAV: Hanove.A_2 (Trojan)