Home / malwarePDF  

TrojanDropper:Win32/Redsip.A


First posted on 08 June 2010.
Source: SecurityHome

Aliases :

TrojanDropper:Win32/Redsip.A is also known as Trojan.Win32.FakeMS.vq (Rising AV), Troj/Agent-MSC (Sophos).

Explanation :

TrojanDropper:Win32/Redsip.A is a trojan that installs other Win32/Redsip trojan components. Win32/Resip is a trojan that allows limited remote access and control of an affected computer.
Top

TrojanDropper:Win32/Redsip.A is a trojan that installs other Win32/Redsip trojan components. Win32/Resip is a trojan that allows limited remote access and control of an affected computer. InstallationWhen TrojanDropper:Win32/Redsip.A is run, it drops the following files: <system folder>\Startup.dll - Backdoor:Win32/Redsip.A!svc <system folder>\Connect.dll - Backdoor:Win32/Redsip.A!dll The trojan installer creates a service named "CryptHost" to run the dropped component "Startup.dll" as a service. Sets value: "CryptHost"With data: "crypthost"In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost Sets value: "ServiceDll"With data: "<system folder>\startup.dll"In subkey: HKLM\SYSTEM\ControlSet001\Services\CryptHost\Parameters The trojan installer adds registry data identifying a remote server name the trojan component attempts to contact as in the following example: Sets value: "connect1"With data: "blog.afbjz.com"In subkey: HKLM\Software\RAT When Backdoor:Win32/Redsip.A!svc runs, it loads and runs an export from the component "connect.dll" named "PluginExecute" to perform certain actions. Additional InformationFor more information about Backdoor:Win32/Redsip.A!dll, see the description elsewhere in the encyclopedia.

Analysis by Dan Kurc

Last update 08 June 2010

 

TOP