Home / malwarePDF  

Worm:MSIL/Rutispud.A


First posted on 07 September 2010.
Source: SecurityHome

Aliases :

Worm:MSIL/Rutispud.A is also known as Trojan horse Dropper.Generic2.AOUV (AVG), Trojan.MulDrop1.42560 (Dr.Web).

Explanation :

Worm:MSIL/Rutispud.A is a worm that can spread via removable and network drives, and opens backdoors on an affected user's computer.
Top

Worm:MSIL/Rutispud.A is a worm that can spread via removable and network drives, and opens backdoors on an affected user's computer. Installation Worm:MSIL/Rutispud.A makes the following registry modifications: Adds value: "csrss" With data: <location of threat> (for example, C:\Quick.exe) To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adds value: "csrss" With data: <location of threat> (for example, C:\Quick.exe) To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Spreads via Removable and network drives Worm:MSIL/Rutispud.A creates a copy of itself in the root folder of all available network and removable drives where it does not detect a copy of itself. The worm writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically. Worm:MSIL/Rutispud.A then attempts to obfuscate the autorun.inf file by adding pseudo-random lines in the file separating the working code. Payload Allows backdoor access and control Worm:MSIL/Rutispud acts as a bot on the affected user's computer . The bot part of the malware attempts to connect to its controller on TCP port 3074. The backdoor's controller may request that it performs the following activities:

  • Download and execute arbitrary files
  • Launch (or halt) flooding attacks against a specified server
  • Remove itself from the affected computer
  • Steal credentials stored by a Firefox browser
    • The bot responds after each command to its controller using a string that contains numbered code starting with €œSTU~€. For example, after Worm:MSIL/Rutispud has successfully downloaded a file to the user's computer, it sends €œSTU~003€ to its controller. Additional information Displays a message If there is an error while decrypting the configuration information for the worm, a message box appears with the text €œAre you stupid?€.

    Analysis by Michael Johnson

    Last update 07 September 2010

     

    TOP

    Malware :

    Family: