Trojan.Win32.Redosdru.21356873
| Aliases | Ghost RAT | ||
|---|---|---|---|
| Typical Symptoms | Security threats,Information leak | ||
| Discovered | [korea] 0000-00-00 [Foreign] 0000-00-00 |
||
| Type | Virus | ActiveField | Win32 |
| Destory/Distribution |   |
||
| Origin | others | Encryption | NO |
| Location | Macro | Memory residence | NO |
| Scan engine needed |
2011-7-15 [Able to detect & repair]
|
||
[Symptom of Infection] A. Infection RouteTrojan.Win32.Redosdru.21356873 does not spread out as itself, and it is installed from hacked site or by other malicious codes such as Spyware, Adware, Dropper, etc. B. Symptom1) Trojan.Win32.Redosdru.21356873 is a variant of ghost RAT(Remote tool). 2) Trojan.Win32.Redosdru.21356873 is a Dll typed file, and runs by 5 factors.
[PIC 1] Dll factor 3) Trojan.Win32.Redosdru.21356873 runs by loading to Svchost.exe.
[PIC 2] svchost.exe Load 4) Trojan.Win32.Redosdru.21356873 tries to run periodically by registering to service. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.Net CLR] "Type"=dword:00000110 "Start"=dword:00000002 "ErrorControl"=dword:00000001 "ImagePath"=%SystemRoot%\System32\svchost.exe -k ".Net CLR" "DisplayName"="Microsoft .Net Framework COM+ Support" "ObjectName"="LocalSystem" "Description"="Microsoft .NET and Windows XP COM+ Integration with SOAP" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.Net CLR\Parameters] "ServiceDll"=C:\WINDOWS\system32\winet.dll 5) Trojan.Win32.Redosdru.21356873 tries to access to a certain site(C&C Server) by period. tiansh*****.3322.org 14.***.**.80:8000 [PIC 3] Network Access C. Additional Informationghost Rat is an open source based remote management tool. It is used for malicious method, and once the system is infected by this tool, the system is fully dominated and hacker can control all actions such as keyboard/mouse control or monitor output. For more information, refer following URL. http://en.wikipedia.org/wiki/Ghost_Rat |
|
