Home / malwarePDF  

Trojan:Win32/R2d2.A!rootkit


First posted on 13 October 2011.
Source: SecurityHome

Aliases :

Trojan:Win32/R2d2.A!rootkit is also known as Win-Trojan/R2d2.5376 (AhnLab), W32/R2D2.A (Command), BackDoor.R2D2.1 (Dr.Web), Win32/R2D2.A (ESET), Backdoor.Win32.R2D2.a (Kaspersky), Troj/BckR2D2-A (Sophos), Backdoor.R2D2 (Symantec), Rootkit.R2D2.B (VirusBuster).

Explanation :

Trojan:Win32/R2d2.A!rootkit is a component of Backdoor:Win32/R2d2.A. It can delete or rename protected files, modify file properties and perform other actions.
Top

Trojan:Win32/R2d2.A!rootkit is a component of Backdoor:Win32/R2d2.A. It can delete or rename protected files, modify file properties and perform other actions.

Installation
This malware is installed by another process and may be present in the Windows system folder as the following:

  • %windir%\System32\winsys32.sys
The trojan executes as a service named "winsys32".

Payload
Performs file operations on protected files/modifies system dataThis malware is used by Backdoor:Win32/R2d2.A to perform the following actions:
  • Delete or rename protected files by modifying registry data in the following subkey:
    • HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperation
  • Modify other registry data
  • Modify file information properties of other files via the Windows kernel-mode driver support routine ZwSetInformationFile
  • Create or modify files
  • Link to \\Device\KeyboardClassC to capture keystrokes


Analysis by Jireh Sanico

Last update 13 October 2011

 

TOP