Home / malware Backdoor:Win32/Truvasys.C!dha
First posted on 15 December 2016.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Truvasys.C!dha.
Explanation :
When launched, this backdoor's initial dropper displays a message that appears to be selected at random. Here is one of the messages:
The version of Microsoft Office installed on this system is not updated.
The dropper then creates a hidden folder rspDB inside the %TEMP% folder and places several files inside that folder:
- %TEMP%/rspDB/resdllx.dll - a clean DLL file containing functions for secure communications
- %TEMP%/rspDB/winxsys.exe - the main backdoor component
- %TEMP%/rspDB/parameters.txt - a configuration file
The configuration file stores backdoor settings, including its command and control (C&C) addresses, communication port, and registry keys and values. An attacker may change these settings to keep the backdoor and its activities from being noticed.
To stay persistent, this backdoor creates the following autorun registry entry:
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value: TaskMgr
Data: C:\Users\Pedro\AppData\Local\Temp\rspDB\winxsys.exe
Analysis by Mathieu LetourneauLast update 15 December 2016