Home / malwarePDF  

Trojan:Win32/Ramdo.A


First posted on 18 January 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Ramdo.A.

Explanation :

Threat behavior

Installation

It drops itself into your PC as the file %APPDATA%\version.dll. It renames itself as \HpM3Util.exe so that it starts every time Windows starts.

It creates these registry values to store its configuration data:

In subkey: HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
Sets value: "tLast_ReadedSpec"
With data: ""

In subkey: HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
Sets value: "tLastCollab_doc"
With data: ""

Payload

Disables features of security software

This threat injecets itself into all 32-bit processes and then tries to unload these DLL files:

  • UMEngx86.dll
  • wl_hook.dll


These files are used by certain security software, so if this threat is successful in unloading these files, your security software won't run properly.

Connects to a server

This threat tries to collect the following information about your PC:

  • What operating system version you're running
  • If it's running in a virtual environment
  • What version of Adobe Flash is installed in your PC
  • How many processors you have in your PC
  • Your PC's GUID


It then tries to send the information to a server with a name generated using a specific algorithm.

Depending on commands from the server, it might also do the following on your PC:

  • Update itself
  • Update its configuration
  • Load modules


Does click-fraud

It does click-fraud by generating fake clicks to ads in the server in 95.211.193.11 (the referrer is starmina.net).

It also hooks these APIs to hide its click-fraud activities:

  • CoCreateInstance
  • DialogBoxIndirectParamAorW
  • GetCursorPos
  • waveOutOpen
  • waveOutSetVolume


Depending on how many processors you have in your PC, this threat might start one or multiple instances of these files, into which it injects itself to do its click-fraud activities:

  • %SystemRoot% \twunk_32.exe
  • %SystemRoot% \winhlp32.exe


It also creates these registry values to hide the browser while it does click-fraud:

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Sets value: "twunk_32.exe"
With data: "9000"
Sets value: "winhlp32.exe"
With data: "9000"



Analysis by Shawn Wang

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:
    • %APPDATA% \version.dll
    • \HpM3Util.exe
  • You see these entries or keys in your registry:

    In subkey: HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
    Sets value: "tLast_ReadedSpec"
    With data: ""

    In subkey: HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
    Sets value: "tLastCollab_doc"
    With data: ""

Last update 18 January 2014

 

TOP

Malware :

Family: