BKDR_TENGO.A

Posted: May 13, 2013

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	1,686
Threat Level:	2/10
Infected PCs:	126,436

First Seen:	May 13, 2013
Last Seen:	October 17, 2023
OS(es) Affected:	Windows

BKDR_TENGO.A is a new variant of Winnti, a backdoor trojan designed and distributing by a criminal organization of the same name. Like other versions of Winnti, BKDR_TENGO.A appears to be used primarily in targeted attacks that steal document-based information from various game-based companies. What sets BKDR_TENGO.A apart from previous versions of Winnti is its construction, which was enabled through AheadLib – a legitimate (but, obviously, exploitable) DLL analysis utility. BKDR_TENGO.A is not encrypted, and most anti-malware programs should be able to detect and remove BKDR_TENGO.A easily, but SpywareRemove.com malware researchers continue to rate BKDR_TENGO.A, as all forms of Winnti, as a high-level threat that's capable of stealing confidential information from your computer.

BKDR_TENGO.A: When a Windows File Isn't What It Seems to Be

In keeping with Winnti's past stratagems for concealing itself, BKDR_TENGO.A's file is disguised as a fake Windows system file, Winmm.dll, which normally is found on your computer as an enabler of some audio and joystick-based functions. The fake Winmm.dll known as BKDR_TENGO.A, however, actually is a backdoor trojan that specializes in stealing information from your computer.

Past Winnti attacks have been focused on various gaming companies with the intention of compromising any readily-accessible document data. BKDR_TENGO.A doesn't appear to diverge from this pattern in any meaningful way; as SpywareRemove.com malware researchers can confirm that BKDR_TENGO.A targets information that's held in PDF, TIFF and Microsoft Office files. In particular, BKDR_TENGO.A will try to target files that are stored in any removable flash drives (USB devices). While this information theft is the main focus of BKDR_TENGO.A and other forms of Winnti, it's also important to realize that BKDR_TENGO.A does include other functions, such as some basic backdoor attacks that can, in theory, allow an attacker to take over your PC. Previous Winnti attacks also have attempted to compromise PCs that are accessible via local networks.

Exploiting the Laziness of Criminals for Your PC's Safety

The Winnti gang has a reputation for preferring to target easily-compromised PCs, and usually doesn't make extreme efforts to protect their malware with sophisticated techniques. SpywareRemove.com malware experts have found that BKDR_TENGO.A continues this pattern by being completely unencrypted – an unusual trait for a backdoor trojan that can allow a good anti-malware program to detect BKDR_TENGO.A more easily than would be the case with more advanced PC threats, such as the average rootkit.

At the same time, BKDR_TENGO.A also is evidence that the Winnti campaign still is being developed and upgraded. SpywareRemove.com malware researchers recommend all the standard anti-malware and online security protocols be enacted as defenses against BKDR_TENGO.A attacks. This should be particularly considered for employees of both major and minor game development companies, which are the favored victims of BKDR_TENGO.A and past versions of Winnti.

Technical Details

Additional Information

The following URL's were detected:

gestyy.com