Backdoor.Win32.ImgDrop

Publication Date 09/13/2016
Class Backdoor
Platform Win32
Description

When launched, Backdoor.Win32.ImgDrop extracts a file from its body with a name of the format winXXX32.dll to the %system% folder, and adds the file to the list of programs that are automatically run at startup of the operating system.
The malware stores its settings in the HKLM\SOFTWARE\Microsoft\MSSMGR registry key.
The body of Backdoor.Win32.ImgDrop contains a list of web addresses for command-and-control servers, with which the malware communicates by sending GET requests to the relative address /img/cmd.php.

Geographical distribution of attacks by the Backdoor.Win32.ImgDrop family


Geographical distribution of attacks during the period from 13 September 2014 to 13 September 2016

Top 10 countries with most attacked users (% of total attacks)

Country % of users attacked worldwide*
1 Russian Federation 20.48
2 China 10.84
3 Vietnam 9.64
4 Germany 7.23
5 India 7.23
6 France 4.82
7 Hungary 3.61
8 Ukraine 3.61
9 Austria 2.41
10 India 2.41

* Percentage among all unique Kaspersky Lab users worldwide attacked by this malware