Home / malware Backdoor:Win32/R2d2.A
First posted on 13 October 2011.
Source: SecurityHomeAliases :
Backdoor:Win32/R2d2.A is also known as Win-Trojan/R2d2.360448 (AhnLab), W32/R2D2.A (Command), Win32/R2D2.A (ESET), Backdoor.Win32.R2D2.a (Kaspersky), Troj/BckR2D2-A (Sophos), Backdoor.R2D2 (Symantec).
Explanation :
Backdoor:Win32/R2d2.A is a trojan that communicates with a remote server to listen for commands from an attacker. The trojan monitors Skype communications, captures screen shots and may download and execute arbitrary files.
Top
Backdoor:Win32/R2d2.A is a trojan that communicates with a remote server to listen for commands from an attacker. The trojan monitors Skype communications, captures screen shots and may download and execute arbitrary files.
Installation
This trojan may be installed by another process and may be present in the Windows system folder as the following:The registry is modified to run the malware at each Windows start. In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Sets value: "AppInit_DLLs" With data: "%windir%\System32\mfc42ul.dll"
- %windir%\System32\mfc42ul.dll
Payload
Installs additional component Backdoor:Win32/R2d2.A creates the following component, detected as Trojan:Win32/R2d2.A!rootkit:This component is used by the backdoor to perform the following actions:
- %windir%\System32\winsys32.sys
- Delete or rename protected files by modifying registry data
- Modify other registry data
- Modify file information properties of files
- Create or modify files
- Link to \\Device\KeyboardClassC to capture keystrokes
For more information about Trojan:Win32/R2d2.A!rootkit, see the description elsewhere in the encyclopedia.
Communicates with a remote server
Backdoor:Win32/R2d2.A is only activated for the following set of processes:
Backdoor:Win32/R2d2.A connects to a remote server to listen for commands from an attacker. Commands could instruct the trojan to perform the following actions:
- explorer.exe
- Skype.exe
- SkypePM.exe
- msnmsgr.exe
- yahoomessenger.exe
- x-lite.exe
- sipgatexlite.exe
- Monitor incoming and outgoing calls
- Send collected Skype data, version information and online status to a remote server
- Download and execute arbitrary files
- Take desktop screen shots during web browsing with the following applications:
- firefox.exe
- iexplore.exe
- opera.exe
- navigator.exe
- seamonkey.exe
Analysis by Jireh SanicoLast update 13 October 2011