Home / malware Backdoor:Win32/Redsip.B!svc
First posted on 08 June 2010.
Source: SecurityHomeAliases :
Backdoor:Win32/Redsip.B!svc is also known as Win-Trojan/Securisk (AhnLab), W32/PCClient.AIJ (Authentium (Command)), Win32/PcClient.AAV (CA), Trojan-Downloader.Win32.Agent.cznt (Kaspersky).
Explanation :
Backdoor:Win32/Redsip.B!svc is a trojan that allows limited remote access and control of an affected computer.
Top
Backdoor:Win32/Redsip.B!svc is a trojan that allows limited remote access and control of an affected computer. InstallationBackdoor:Win32/Redsip.B!svc may be present as the following: <system folder>\svcips .dll - Backdoor:Win32/Redsip.B!svc The registry may be modified to instruct Backdoor:Win32/Redsip to communicate with a remote server. Sets value: "connect1"With data: "smith09.gicp.net"In subkey: HKLM\Software\RAT When Backdoor:Win32/Redsip.B!svc runs, it loads and runs an export named "PluginExecute" to perform certain actions. Payload Connects to remote serverBackdoor:Win32/Redsip.B!svc attempts to connect to a server named "smith09.gicp.net" using TCP port 80. Allows limited remote access and controlBackdoor:Win32/Redsip loads and runs an export named "PluginExecute". The export supports numerous commands that may be returned by the server such as the following: CMD_SET_REM CMD_File_FIND CMD_File_Managers CMD_RESET_HOST CMD_Screen_Managers CMD_CLOSE_HOST CMD_UNINSTALL_HOST SHELL_CMD CMD_REGEDIT SERVICE_ENUM PROCESS_ENUM PLUGIN_INSTALL CMD_VIDEO CMD_KEYBOARD Commands are initiated from the server by starting associated "plugin" dlls, for example: PluginFile.dll PluginScreen.dll PluginKeyboard.dll PluginProcess.dll etc.
Analysis by Dan KurcLast update 08 June 2010