Home / malwarePDF  

Backdoor:Win32/Redsip.A!dll


First posted on 08 June 2010.
Source: SecurityHome

Aliases :

There are no other names known for Backdoor:Win32/Redsip.A!dll.

Explanation :

Backdoor:Win32/Redsip.A!dll is a trojan component installed by TrojanDropper:Win32/Redsip.A. Win32/Redsip allows limited remote access and control of an affected computer.
Top

Backdoor:Win32/Redsip.A!dll is a trojan component installed by TrojanDropper:Win32/Redsip.A. Win32/Redsip allows limited remote access and control of an affected computer. InstallationBackdoor:Win32/Redsip is installed by TrojanDropper:Win32/Redsip.A and may be present as the following:<system folder>\Connect.dll - Backdoor:Win32/Redsip.A!dll<system folder>\Startup.dll - Backdoor:Win32/Redsip.A!svcBackdoor:Win32/Resip runs as a service named "CryptHost" to run the dropped component "Startup.dll". Sets value: "CryptHost"With data: "crypthost"In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost Sets value: "ServiceDll"With data: "<system folder>\startup.dll"In subkey: HKLM\SYSTEM\ControlSet001\Services\CryptHost\Parameters TrojanDropper:Win32/Redsip modifies registry data to instruct Backdoor:Win32/Redsip to communicate with a remote server. Sets value: "connect1"With data: "blog.afbjz.com"In subkey: HKLM\Software\RAT When Backdoor:Win32/Redsip.A!svc runs, it loads and runs an export from the component "connect.dll" named "PluginExecute" to perform certain actions.PayloadConnects to remote serverBackdoor:Win32/Redsip attempts to connect to a server named "blog.afbjz.com" using TCP port 80. Allows limited remote access and controlBackdoor:Win32/Redsip loads and runs the export "PluginExecute" from the component "connect.dll". The export supports numerous commands that may be returned by the server such as the following: CMD_SET_REMCMD_File_FINDCMD_File_ManagersCMD_RESET_HOSTCMD_Screen_ManagersCMD_CLOSE_HOSTCMD_UNINSTALL_HOSTSHELL_CMDCMD_REGEDITSERVICE_ENUMPROCESS_ENUMPLUGIN_INSTALLCMD_VIDEOCMD_KEYBOARD Commands are initiated from the server by starting associated "plugin" dlls, for example:PluginFile.dllPluginScreen.dllPluginKeyboard.dllPluginProcess.dlletc.

Analysis by Dan Kurc

Last update 08 June 2010

 

TOP