Home / malware Backdoor.Redsip
First posted on 17 February 2016.
Source: SymantecAliases :
There are no other names known for Backdoor.Redsip.
Explanation :
When this Trojan is executed, it creates the following files:
%AllUsersProfile%\updata\AdobeTray.exe%AllUsersProfile%\updata\McUtil.dll%AllUsersProfile%\updata\server.db
The Trojan then creates the following registry entry so that it runs every time Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"updata" = "%AllUsersProfile%\updata\\ADOBET~1.EXE"
The Trojan also creates the following registry entries:
HKEY_CURRENT_USER\Software\XXZH\"load_path" = "[MALWARE PATH]"HKEY_CURRENT_USER\Software\XXZH\"key" = "[RANDOM CHARACTERS]"
The Trojan then opens a back door on the compromised computer and connects to the following remote location:
[http://]ns1.symantec-inc.com/inde[REMOVED]Last update 17 February 2016
