Home / malware

PDF

TrojanSpy:Win32/Ranbyus.N

First posted on 28 November 2014.
Source: Microsoft

Aliases :

There are no other names known for TrojanSpy:Win32/Ranbyus.N.

Explanation :

Threat behavior

Installation
This threat can create files on your PC, including:

• \system check.lnk
• \smiauftnfdmohp.exe

Payload


Bypasses firewall



This threat tries to bypass your firewall by modifying the registry. For example:

In subkey:HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list
Sets value: "\svchost.exe"
With data: "\svchost.exe:*:enabled:mklwvcpqfgilgmjaxcgjmjcijd"



This threat can create one or more mutexes on your PC. For example:

• 2D5C55C00000035401CFFA99LWRRQTZzVmQnU
• 87b3c64lkj48gd
• InstalledMutex
• v&xEiR43#$

This malware description was published using automated analysis of file SHA1 26a0cca661d24799746eb5e926c41b0a0fa8d168. Symptoms

The following can indicate that you have this threat on your PC:

• You see these files:
• \system check.lnk
• \smiauftnfdmohp.exe
• You see registry modifications such as:
  
  • In subkey: HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list
    Sets value: "\svchost.exe"
    With data: "\svchost.exe:*:enabled:mklwvcpqfgilgmjaxcgjmjcijd"
• You see a mutex such as:
• 2D5C55C00000035401CFFA99LWRRQTZzVmQnU
• 87b3c64lkj48gd
• InstalledMutex
• v&xEiR43#$

Last update 28 November 2014

 

TOP