Home / malwarePDF  

Trojan.Rhubot


First posted on 09 May 2014.
Source: Symantec

Aliases :

There are no other names known for Trojan.Rhubot.

Explanation :

When the Trojan is executed, it creates the following files:%UserProfile%\Application Data\msup1.exe %UserProfile%\Application Data\msup10.exe %UserProfile%\Application Data\msup11.exe %UserProfile%\Application Data\msup12.exe %UserProfile%\Application Data\msup13.exe %UserProfile%\Application Data\msup14.exe %UserProfile%\Application Data\msup15.exe %UserProfile%\Application Data\msup16.exe %UserProfile%\Application Data\msup17.exe %UserProfile%\Application Data\msup18.exe %UserProfile%\Application Data\msup19.exe %UserProfile%\Application Data\msup2.exe %UserProfile%\Application Data\msup20.exe %UserProfile%\Application Data\msup3.exe %UserProfile%\Application Data\msup4.exe %UserProfile%\Application Data\msup5.exe %UserProfile%\Application Data\msup6.exe %UserProfile%\Application Data\msup7.exe %UserProfile%\Application Data\msup8.exe %UserProfile%\Application Data\msup9.exe
Next, the Trojan creates the following registry entries:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup1.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup10.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup11.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup12.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup13.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup14.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup15.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup16.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup17.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup18.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup19.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup2.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup20.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup3.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup4.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup5.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup6.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup7.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup8.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\msup9.exe"
The Trojan then connects to the following remote locations:vsehnahuy.comblog32.rutryboots.ru91.226.127.175teleon2.ruaktualisieren-soft.ru
The Trojan may then perform the following actions:
Retrieve a list of targeted websitesUse the compromised computer to perform DDoS attacks

Last update 09 May 2014

 

TOP

Malware :

Family: