Home / malwarePDF  

TrojanDropper:Win32/Rustock.J


First posted on 10 July 2009.
Source: SecurityHome

Aliases :

TrojanDropper:Win32/Rustock.J is also known as Also Known As:Trojan-Downloader.Win32.Boltolog.fth (Kaspersk, Win32/Rustock.NJB (ESET), :Trj/Downloader.MDW (Panda), Tool:Win32/Dnschanger (other).

Explanation :

TrojanDropper:Win32/Rustock.J is a detection for the installer component of certain members of the Win32/Rustock malware family. It installs or updates the device driver component of certain Rustock samples.

Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

TrojanDropper:Win32/Rustock.J is a detection for the installer component of certain members of the Win32/Rustock malware family. It installs or updates the device driver component of certain Rustock samples. TrojanDropper:Win32/Rustock.J checks if a specific version of the Win32/Rustock driver is already running in the system. If this is the case, it terminates itself. However, if an older version of the driver is in the system, it attempts to open and update the driver. If no driver is currently installed in the system, TrojanDropper:Win32/Rustock.J attempts to install the driver using different methods, such that if one method fails, it can try other options: First, TrojanDropper:Win32/Rustock.J attempts to back up '<system folder>driverseep.sys' as '%temp%<random name>.tmp'. It then overwrites the '<system folder>driverseep.sys' with the Rustock driver component, restarts the 'beep' service, and restores the original 'beep.sys' file. If this method fails, TrojanDropper:Win32/Rustock.J backs up '<system folder>drivers
ull.sys' as '%temp%<random name>.tmp', overwrites the '<system folder>drivers
ull.sys' with the driver component, restarts the 'null' service, and restores the original 'null.sys' file. If this method also fails, TrojanDropper:Win32/Rustock.J drops the Rustock driver component as '<system folder>drivers<random name>.sys', then creates and starts a service named '<random name>'. A sample service name that it is known to use is 'glaide32'. The Rustock driver component may be detected as Backdoor:WinNT/Rustock.F.

Analysis by Shawn Wang

Last update 10 July 2009

 

TOP