Home / malwarePDF  

Trojan:Win32/Redyms.A


First posted on 14 March 2013.
Source: Microsoft

Aliases :

Trojan:Win32/Redyms.A is also known as Trojan.Win32.Redyms (Ikarus), Mal/Redyms-A (Sophos).

Explanation :



Installation

Trojan:Win32/Redyms.A copies itself to your %AppData% folder using the following naming format:

"%AppData%\<random GUID\<random letters>.exe", for example, "%AppData%\7f5ed85d-6828-4f92-858c-f40b0ac6813879\feddfcfbac.exe".

Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Roaming".

Trojan:Win32/Redyms.A connects to the server "fsepzqgv-osvxg.net" to report that it has successfully infected your computer. It also tries to access "www.microsoft.com" to see if your computer is connected to the Internet.

It creates a registry entry so that it automatically runs every time Windows starts:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Set value: "<random letters>", for example, "feddfcfbac"
With data: "<malware file name>", for example, "%AppData%\7f5ed85d-6828-4f92-858c-f40b0ac6813879\feddfcfbac.exe"

It also creates the following registry entries as part of its installation process:

In subkey: HKCU\SOFTWARE\Adobe\CSXS.2.5
Set value: "LogLevel"
With data: "1"

In subkey: HKCU\SOFTWARE\Adobe\CSXS.2.5
Set value: "tLastM_Reader"
With data: "<binary data>"



Payload

Trojan:Win32/Redyms.A injects itself into every running process. If checks if the process name contains any of the following strings, which indicates it may be a browser:

  • avant
  • browser
  • chrome
  • firefox
  • iexplo
  • maxthon
  • mozill
  • netsc
  • opera
  • safari


If the process appears to be a browser, Trojan:Win32/Redyms.A checks if it's open to a URL containing any of the following strings, which may indicate that a search is being done:

  • .ask.com
  • search.aol.
  • search.icq.com
  • search.xxx
  • search.yahoo.
  • www.alexa.com
  • www.bing.com
  • www.google.
  • www.wiki.com
  • www.yandex.com


If the URLs contains any of these strings,Trojan:Win32/Redyms.A tries to redirect search results to a certain website.

Additional information

Trojan:Win32/Redyms.A checks your Internet traffic by hooking the following Windows functions:

  • mswsock!WSPCloseSocket
  • mswsock!WSPRecv
  • mswsock!WSPSend




Analysis by Shawn Wang

Last update 14 March 2013

 

TOP

Malware :

Family: