Home / malwarePDF  

TrojanDownloader:Win32/Recslurp.B


First posted on 01 July 2014.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Recslurp.B.

Explanation :

Threat behavior

Installation

TrojanDownloader:Win32/Recslurp.B creates the following files on your PC:

  • \rundll32.exe
  • c:\documents and settings\administrator\application data\csrss.exe
  • c:\documents and settings\administrator\application data\svchost.exe


Payload

Stops processes

TrojanDownloader:Win32/Recslurp.B can stop the following processes:

  • svchost.exe
Changes system security settings

The malware adds itself to the list of applications that can access the Internet without being stopped by your firewall. It does this by making the following registry modification:

Adds value: "Client Server Runtime Process"
With data: "c:\documents and settings\administrator\application data\csrss.exe:*:enabled:client server runtime process"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Contacts remote hosts

The malware can contact the following remote hosts:

  • 91.226.212.32 using port 9026
  • 91.226.212.32 using port 9631
  • smtp.gmail.com using port 25

Commonly, malware contacts a remote host to:
  • Confirm Internet connectivity
  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files (including updates and other malware)
  • Receive instruction from a remote hacker
  • Upload information taken from your PC
This malware description was produced and published using automated analysis of file SHA1 29dec18b8821b4966c0b2d373bc6f694610bee76.Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

    \rundll32.exe
    c:\documents and settings\administrator\application data\csrss.exe
    c:\documents and settings\administrator\application data\svchost.exe
  • You see these entries or keys in your registry:

    Sets value: "Client Server Runtime Process"
    With data: "c:\documents and settings\administrator\application data\csrss.exe:*:enabled:client server runtime process"
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Last update 01 July 2014

 

TOP

Malware :

Family: