Trojan.Win32.Redosdru.21356873
種類
Virus
危険度/拡散度
/
発見日
[korea] 0000-00-00 [Foreign] 0000-00-00
Virobot対応
2011-7-15 [Able to detect & repair]
[Symptom of Infection]

A.     Infection Route

Trojan.Win32.Redosdru.21356873 does not spread out as itself, and it is installed from hacked site or by other malicious codes such as Spyware, Adware, Dropper, etc.

 

B.     Symptom

1)     Trojan.Win32.Redosdru.21356873 is a variant of ghost RAT(Remote tool).

 

2)     Trojan.Win32.Redosdru.21356873 is a Dll typed file, and runs by 5 factors.

[PIC 1] Dll factor
 

3)     Trojan.Win32.Redosdru.21356873 runs by loading to Svchost.exe.

[PIC 2] svchost.exe Load

 

4)     Trojan.Win32.Redosdru.21356873 tries to run periodically by registering to service.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.Net CLR]

"Type"=dword:00000110

"Start"=dword:00000002

"ErrorControl"=dword:00000001

"ImagePath"=%SystemRoot%\System32\svchost.exe -k ".Net CLR"

"DisplayName"="Microsoft .Net Framework COM+ Support"

"ObjectName"="LocalSystem"

"Description"="Microsoft .NET and Windows XP COM+ Integration with SOAP"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.Net CLR\Parameters]

"ServiceDll"=C:\WINDOWS\system32\winet.dll

 

5)     Trojan.Win32.Redosdru.21356873 tries to access to a certain site(C&C Server) by period.
When it connects to the server, it may act additional malicious performance.

tiansh*****.3322.org 14.***.**.80:8000

  

[PIC 3] Network Access

 

 

C.     Additional Information

ghost Rat  is an open source based remote management tool. It is used for malicious method, and once the system is infected by this tool, the system is fully dominated and hacker can control all actions such as keyboard/mouse control or monitor output. For more information, refer following URL.

http://en.wikipedia.org/wiki/Ghost_Rat