Home / malwarePDF  

Trojan:Win32/Resmu.A!rootkit


First posted on 20 September 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Resmu.A!rootkit is also known as Trojan-Downloader.Win32.Small.kos (Kaspersky), W32/Rootkit.CALW (Norman), Trojan.DL.Small.DNWB (VirusBuster), Downloader.Agent2.YNI (AVG), TR/Dldr.Small.kos (Avira), Rootkit.Posid.A (BitDefender), Win32/SillyDl.WMX (CA), Trojan.PWS.Stealer.280 (Dr.Web), Win32/Rootkit.Agent.NTI (ESET), Trojan-Downloader.Agent2 (Ikarus), Trojan.Win32.Generic.5220121B (Rising AV), Troj/Small-ENX (Sophos), Trojan.Win32.Generic!BT (Sunbelt Software), Hacktool.Rootkit (Symantec), TROJ_SMALL.LSA (Trend Micro).

Explanation :

Trojan:Win32/Resmu.A!rootkit is a kernel-mode rootkit that is installed by TrojanDropper:Win32/Resmu.A.
Top

Trojan:Win32/Resmu.A!rootkit is a kernel-mode rootkit that is installed by TrojanDropper:Win32/Resmu.A. Installation When run, TrojanDropper:Win32/Resmu.A drops Trojan:Win32/Resmu.A!rootkit as the following file: <system folder>\drivers\srenum.sys Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The registry is modified to run the dropped component at each Windows start. Adds value: "ImagePath" With data: "<system folder>\drivers\srenum.sys" To subkey: HKLM\SYSTEM\CurrentControlSet\Services\srenum Other files are created as the following during installation of Trojan:Win32/Resmu.A!rootkit.

  • <current folder>\ndisrd.sys
  • <current folder>\ndisrd.inf
  • <current folder>\ndisrd_m.inf
    • where <current folder> is the folder location where TrojanDropper:Win32/Resmu.A was initially executed. Payload Connects to a remote server Trojan:Win32/Resmu.A!rootkit may try to hook NDIS and use the ndisrd driver to contact various remote servers using HTTP. It may then download and upload arbitrary files using FTP. Some of the remote servers it is known to connect to are: bkglpvdh.com cbaygdvd.com gthydetr.org kknbktja.com okrayjvd.org otnvgeve.com sqghtiae.com vmggmlen.org vqjtjqty.org wswuratr.org xathjxfh.org ximfmhsa.com

    Analysis by Andrei Florin Saygo

    Last update 20 September 2010

     

    TOP

    Malware :

    Family: