Home / malware Backdoor.Redsip.B
First posted on 18 February 2016.
Source: SymantecAliases :
There are no other names known for Backdoor.Redsip.B.
Explanation :
Once executed, the Trojan creates the following files:
%AllUsersProfile%\updata\connect%AllUsersProfile%\updata\set.ini%AllUsersProfile%\updata\server.db%AllUsersProfile%\updata\nspr4.dll%AllUsersProfile%\updata\nss3.dll %AllUsersProfile%\updata\firefox.exe%AllUsersProfile%\updata\sleep.db
The Trojan creates the following regsirty entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "%AllUsersProfile%\updata\firefox.exe"HKEY_CURRENT_USER\Software\XXZH\"load_path" = "[PATH TO DROPPER]"HKEY_CURRENT_USER\Software\XXZH\"pid" = "[DROPPER NUMERICAL PROCESS ID]"
Next, the Trojan opens a back door on the compromised computer and connects to one or more of the following remote locations:
yk.vip53.cn (over UDP port 443)mail.vip53.cn (over UDP port 447)ashex.eicp.net (over UDP port 8089)
The Trojan may then perform the following actions:
Download and execute potentially malicious filesEnd its activitiesUninstall itself
The Trojan may also gather the following information from the compromised computer and send it to a remote location:
Host nameUser nameOperating system versionList of available drives and space availableTotal memoryProcessor informationLast update 18 February 2016
