Home / malwarePDF  

Backdoor:Win32/Redsip.B!svc


First posted on 08 June 2010.
Source: SecurityHome

Aliases :

Backdoor:Win32/Redsip.B!svc is also known as Win-Trojan/Securisk (AhnLab), W32/PCClient.AIJ (Authentium (Command)), Win32/PcClient.AAV (CA), Trojan-Downloader.Win32.Agent.cznt (Kaspersky).

Explanation :

Backdoor:Win32/Redsip.B!svc is a trojan that allows limited remote access and control of an affected computer.
Top

Backdoor:Win32/Redsip.B!svc is a trojan that allows limited remote access and control of an affected computer. InstallationBackdoor:Win32/Redsip.B!svc may be present as the following: <system folder>\svcips .dll - Backdoor:Win32/Redsip.B!svc The registry may be modified to instruct Backdoor:Win32/Redsip to communicate with a remote server. Sets value: "connect1"With data: "smith09.gicp.net"In subkey: HKLM\Software\RAT When Backdoor:Win32/Redsip.B!svc runs, it loads and runs an export named "PluginExecute" to perform certain actions. Payload Connects to remote serverBackdoor:Win32/Redsip.B!svc attempts to connect to a server named "smith09.gicp.net" using TCP port 80. Allows limited remote access and controlBackdoor:Win32/Redsip loads and runs an export named "PluginExecute". The export supports numerous commands that may be returned by the server such as the following: CMD_SET_REM CMD_File_FIND CMD_File_Managers CMD_RESET_HOST CMD_Screen_Managers CMD_CLOSE_HOST CMD_UNINSTALL_HOST SHELL_CMD CMD_REGEDIT SERVICE_ENUM PROCESS_ENUM PLUGIN_INSTALL CMD_VIDEO CMD_KEYBOARD Commands are initiated from the server by starting associated "plugin" dlls, for example: PluginFile.dll PluginScreen.dll PluginKeyboard.dll PluginProcess.dll etc.

Analysis by Dan Kurc

Last update 08 June 2010

 

TOP

Malware :