Home / malware Trojan:Win32/Rerdom.A
First posted on 04 April 2013.
Source: MicrosoftAliases :
Trojan:Win32/Rerdom.A is also known as Trojan.Win32.Yakes.boia (Kaspersky), Trojan.Win32.Yakes (Ikarus).
Explanation :
Installation
Trojan:Win32/Rerdom.A drops a copy of itself using a random file name in the following folder:
"%AppData%\<random folder>\<random name>.exe", for example, "%AppData%\uvwueni\anpow.exe"
It creates the following registry entries so that it automatically runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random number>", for example, "2772969301"
With data: "%AppData%\<random folder>\<random name>.exe", for example, "%AppData%\uvwueni\anpow.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random number>", for example, "2772969301"
With data: "%AppData%\<random folder>\<random name>.exe", for example, "%AppData%\uvwueni\anpow.exe"
It also creates a scheduled task named "Security Center Update - <random nine number name>" to ensure that it runs regularly.
Trojan:Win32/Rerdom.A also creates the following registry entry as part of its installation process:
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
Sets value: "Windows"
With data: "<system folder>\csrss.exe objectdirectory=\windows sharedsection=1024,1536,512 windows=on subsystemtype=windows serverdll=basesrv,1 serverdll=winsrv:userserverdllinitialization,3 serverdll=winsrv:conserverdllinitialization,2 profilecontrol=off maxrequestthreads=16"
It also drops the following file as part of its installation process:
<system folder>\winsec.exe
Payload
Downloads a file
Trojan:Win32/Rerdom.A tries to download a file from "coolsearch37845<dot>com/b/eve/c2c80c4ba41ac84cbc243fcc"
Analysis by Daniel Radu
Last update 04 April 2013
