Malware Trojan.Rodricter.3

Posted: September 6, 2012 in Encyclopedia viruses
Tags:

Virus AlertTechnical information

To ensure autorun and distribution: Modifies the following registry keys:

[<HKLM> \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run] ‘uct.exe’ = ‘”% APPDATA% \ uct.exe”‘

Creates or modifies the following files:

% WINDIR% \ Tasks \ fbagent.job

Malicious functions: Creates and executes:

% TEMP% \ cdt.exe
% WINDIR% \ Temp \ _ex-68.exe
% WINDIR% \ Temp \ _ex-08.exe
% TEMP% \ setup.exe
% TEMP% \ sc.exe
% TEMP% \ cdt1.exe
% WINDIR% \ Temp \ _ex-08.exe (downloaded from the Internet)
% WINDIR% \ Temp \ _ex-68.exe (downloaded from the Internet)

Executes:

<SYSTEM32> \ Rundll32.exe <SYSTEM32> \ shimgvw.dll, ImageView_Fullscreen% TEMP% \ photo.JPG

Terminates or attempts to terminate the following user processes:

iexplore.exe
firefox.exe
chrome.exe

Changes in the file system: Creates the following files:

% HOMEPATH% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ 2VAZY7AN \ setup [1]. Php
% HOMEPATH% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ YPORKZYZ \ setup [1]. Php
% HOMEPATH% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ KHMHGZ4F \ setup [1]. Php
% HOMEPATH% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ U98D4X8H \ setup [1]. Php
% TEMP% \ 3.tmp
% TEMP% \ 4.tmp
% APPDATA% \ uct.exe
% TEMP% \ 2.tmp
% TEMP% \ cdt1.exe
% TEMP% \ cdt.exe
% TEMP% \ setup.exe
% TEMP% \ sc.exe
% APPDATA% \ vgz.exe
% WINDIR% \ Temp \ _ex-08.exe
% WINDIR% \ Temp \ _ex-68.exe
% TEMP% \ photo.JPG

Network activity: Connects to:

‘St # # 001.com’: 80
’21 #. # 3.15.140 ‘: 80
‘Zo # # oud.in’: 80
‘Uf # # wuk.in’: 80

TCP: Queries HTTP GET:

st # # 001.com/1/setup.php? ac # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
st # # 001.com/1/setup.php? ac # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
st # # 001.com/1/setup.php? ac # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
zo # # oud.in/rnn0001.exe
uf # # wuk.in / notepad.exe
st # # 001.com/1/setup.php? ac # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

UDP:

DNS ASK st # # 001.com
DNS ASK uf # # wuk.in
DNS ASK zo # # oud.in
‘<IP Local seti>’: 1035

Other: Searches for the following windows:

ClassName: ‘Shell_TrayWnd’ WindowName:”
ClassName: ‘ShImgVw: CPreviewWnd’ WindowName:”

Recommendations for recovery of the local computer

  • Boot your Windows in Safe Mode (Safe Mode).
  • Use the disk scanner Dr.Web CureIt or free utility to scan your PC. For all detected infected files to perform an action <Treat>.
  • Anti CureIt make treatment a local computer and displays the results on the screen.

To restore the registry from the backup. We strongly recommend that at least one every two weeks to download an updated version of the antivirus DrWeb and runs the full system scan for viruses. Always keep backup copies of important data in the archive to removable media (such as external HDD-drive) – this will help avoid data corruption. We strongly recommend: buy dr web

Important! Before performing the 2nd item to customize a mail manager so that he kept the attachments as separate files, not in the body of the base. For example, storing attachments separately from the base of the mail client TheBat! configured as follows: Box – Mailbox settings – Files and Directories – Save the attached files in a separate directory (Account – Properties – Files & Directories – Keep attachment files – Separately in a different folder).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s