Bkdr_Fonamebot.A is a backdoor that drops a copy of itself as WMIPRVSE.EXE in the root folder of the system. It also attempts to drop a copy of itself in the current user's Windows Startup folder but it fails due to error on its code.

It performs its backdoor routine by sending a domain name query on a malicious DNS server. It randomly chooses a domain name from a list, so that the traffic generated will not be suspicious.

When the malicious DNS server receives this query it replies with a command to perform arbitrary action on the affected machine, thus compromising system security.


Technical details can be found at this Trend Micro page.