Home / malware TrojanDownloader:Win32/Recslurp.D
First posted on 01 July 2014.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Recslurp.D.
Explanation :
Threat behavior
Installation
TrojanDownloader:Win32/Recslurp.D creates the following files on your PC:
\rundll32.exe - c:\documents and settings\administrator\application data\csrss.exe
Payload
Stops processes
TrojanDownloader:Win32/Recslurp.D can stop the following processes:
Changes system security settings
- svchost.exe
The malware adds itself to the list of applications that can access the Internet without being stopped by your firewall. It does this by making the following registry modification:
Adds value: "Client Server Runtime Process"
With data: "c:\documents and settings\administrator\application data\csrss.exe:*:enabled:client server runtime process"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Contacts remote host
The malware might contact a remote host at 46.165.240.141 using port 40002. Commonly, malware does this to:This malware description was produced and published using automated analysis of file SHA1 2d3a65cb8349a4c324532967799e7456f890238a.Symptoms
- Report a new infection to its author
- Receive configuration or other data
- Download and run files, including updates or other malware
- Receive instructions from a remote hacker
- Upload data taken from your PC
System changes
The following could indicate that you have this threat on your PC:
- You have these files:
\rundll32.exe
c:\documents and settings\administrator\application data\csrss.exe
- You see these entries or keys in your registry:
Sets value: "Client Server Runtime Process"
With data: "c:\documents and settings\administrator\application data\csrss.exe:*:enabled:client server runtime process"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ListLast update 01 July 2014
