Home / malware Trojan.Rikamanu
First posted on 28 July 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Rikamanu.
Explanation :
Once executed, the Trojan creates the following files:
%Windir%\Help\CNDY.DAT%System%\drivers\Irmon.dll
Next, the Trojan creates a service with the following properties:
Display name: IrmonImage path: %System%\svchost.exe -k netsvcsDescription: The infrared Port Monitor is present for all computers with infrared ports. It initiates file transfer between your computer and another device, like a PDA or mobile phone.
It then creates the following registry subkey to register itself as a service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon
The Trojan then logs keystrokes made on the compromised computer and saves the stolen infromation to the following location:
%Windir%\Help\CNDY.DAT
The Trojan may then send the information to a remote attacker.Last update 28 July 2015
