Home / malware Backdoor.Rifelku
First posted on 25 February 2016.
Source: SymantecAliases :
There are no other names known for Backdoor.Rifelku.
Explanation :
When the Trojan is executed, it creates the following folder: %ProgramFiles%\Common Files\Graphics
Next, the Trojan creates the following file: %ProgramFiles%\Common Files\Graphics\guifx.exe
The Trojan then creates the following registry entry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Graphics" = "%ProgramFiles%\Common Files\Graphics\guifx.exe /run"
Next, the Trojan connects to the following remote location through TCP port 443: 165.194.123.67
The Trojan then sends the following system information to this remote location: OS versionUser nameComputer nameNetwork adapter details
The Trojan may then perform the following actions: Open a back doorDownload and execute filesLast update 25 February 2016
