|Backdoor.Tumag allows unauthorized remote access to an infected computer. By default, the backdoor listens on TCP port 9010.
When Backdoor.Tumag is executed, it performs the following actions:
Copies itself as:
Creates the registry key:
to keep track of the infection's progress.
Connects to dns2010.vicp.net or 126.96.36.199 on port 9002 to notify the author of the backdoor.
Opens a backdoor on TCP port 9010 and listens for commands from the attacker.
The backdoor can perform the following default actions:
- Update itself
- Take a screenshot
- Provide system information
- Create files
- Execute programs
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "DCE Manager"="%System%\dcemgr.exe"