Home / malware Trojan.Gamaredon
First posted on 01 May 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Gamaredon.
Explanation :
The Trojan may arrive on the compromised computer as an email attachment or it may be downloaded by other malware attached to emails.
The Trojan arrives as a self extracting archive containing the following files:
%Temp%\install.cmd%Temp%\rms5.2.1.msi%Temp%\wget.exe
When the Trojan is executed, it creates the following files:
%Windir%\AdobeUpdates\id.txt%Windir%\AdobeUpdates\mac.txt%Windir%\AdobeUpdates\comp.txt%Windir%\AdobeUpdates\group.txt%UserProfile%\Application Data\AdobeUpdates\id.txt%UserProfile%\Application Data\AdobeUpdates\mac.txt%UserProfile%\Application Data\AdobeUpdates\comp.txt%UserProfile%\Application Data\AdobeUpdates\group.tx
The Trojan will attempt to uninstall the following program from the compromised computer:
Remote Manipulator System
The Trojan will execute the following file to perform a fresh install of the Remote Manipulator System program:
%Temp%\rms5.2.1.msi
The Trojan may open a back door, and connect to the following location:
[http://]rms.admin-ru.ru/updat[REMOVED]
The Trojan may steal the following information from the computer and sent it to the remote location:
Content of the HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters\Options registry entryGroup name (specified inside the %Temp%\install.cmd script)MAC addressComputer nameLast update 01 May 2015