How to Remove Gazer Backdoor

Gazer is a Trojan horse that opens a backdoor on the compromised computer. It may also download potentially malicious file and was discovered on August 31, 2017. It can affect Windows 7, 8 and 10 systems and the risk level is Very Low

Once executed, teh Trojan creates the following files:

  • %Temp%\CVRG1A6B.tmp.cvr
  • %Temp%\CVRG38D9.tmp.cvr
  • %Temp%\CVRG72B5.tmp.cvr

The Trojan then creates the following registry subkeys:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ScreenSaver\{8E9810C5-3014-4678-27EE-3B7A7AC346AF}\{17A5772C-06D7-496F-BFB1-A32E225DD941} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ScreenSaver\{81A03BF8-60AA-4A56-253C-449121D61CAF}\{14722320-D2EE-478C-BA67-62536F00F3AF} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ScreenSaver\{6CEE6FE1-10A2-4C33-7E7F-855A51733C77}\{BACB175B-72B0-4836-AAE2-4AAAA3EFDB84} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ScreenSaver\{629336E3-58D6-633B-5182-576588CF702A}\{F73A8691-D8DD-4C41-81CE-1CE85E2F3B7E} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ScreenSaver\{56594FEA-5774-746D-4496-6361266C40D0}\{69379762-0F37-4E8F-884F-A7865C2BCD6D} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ScreenSaver\{4A3130BD-2608-730F-31A7-86D16CE66100}\{9EC977EE-F422-4C64-94CB-8F3340F29EE2} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ScreenSaver\{3CDC155D-398A-646E-1021-23047D9B4366}\{F1940083-C9D3-4180-A319-F86DA1B1AEBB} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ScreenSaver\{3CDC155D-398A-646E-1021-23047D9B4366}\{A5D40479-47AA-4A44-B374-78EB28F9CDBB} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ScreenSaver\{31AC34A1-2DE2-36AC-1F6E-86F43772841F}\{7292ABC5-C8F5-4CC7-B6C5-9D83B701020B} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ScreenSaver\{1DC12691-2B24-2265-435D-735D3B118A70}\{DF50E9FB-93D6-4A1E-AA02-FECB5BF94BEE} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ScreenSaver\{119D263D-68FC-1942-3CA3-46B23FA652A0}\{A7C39FA8-40CE-4C65-B4FF-AAF59086F445}

Next, the Trojan opens a backdoor on the compromised computer and connects to the following remote locations:

  • [http://]baby.greenweb.co.il
  • [http://]dyskurs.com.ua

The Trojan may also download potentially malicious files on to the compromised computer.

The Trojan can execute the following commands:

  • CMC_TAKE_NOP
  • CMC_GIVE_SETTINGS
  • CMC_TAKE_CAN_NOT_WORK
  • CMC_GIVE_CACHE
  • CMC_TAKE_CACHE
  • CMC_TAKE_TASK
  • CMC_GIVE_RESULT
  • CMC_TAKE_CONFIRM_RESULT
  • CMC_TAKE_LOADER_BODY
  • CMC_TAKE_UNINSTALL
  • CMC_NO_CONNECT_TO_GAYZER
  • CMC_TAKE_LAST_CONNECTION

Leave a Reply