When the backdoor's file is run, it copies itself as POOLCLL.EXE file to Windows System folder. Then the backdoor installs a service named 'evmon' (display name: 'Event Monitor'). The backdoor's file is started with '-netcvs' parameter.
When active, the backdoor starts an FTP server on a random port.
The backdoor can be controlled remotely and do any of the below:
- start socks4/5 proxy
- start http proxy
- scan/exploit for vulnerabilities
- ping flood
- open command shell
- download/execute files
The backdoor contains the following scanners/exploits:
- ipc (remote shares), port 139
- mssql (Microsoft SQL servers), port 1433
- mysql, port 3306
- DCOM1 (DCOM RPC), ports 135, 445, 1025
- LSASS (MS04-011), port 445
- ftp_scan (remote ftp sites), port 21
The backdoor can spread to local networks. It contains a lot of usernames/passwords that are used in a dictionary attack.
Additionally the backdoor steals CD keys from games and other software.