Pages

13 October 2011

Trojan:Win32/R2d2.A!rootkit

Aliases :

Trojan:Win32/R2d2.A!rootkit is also known as Win-Trojan/R2d2.5376 (AhnLab), W32/R2D2.A (Command), BackDoor.R2D2.1 (Dr.Web), Win32/R2D2.A (ESET), Backdoor.Win32.R2D2.a (Kaspersky), Troj/BckR2D2-A (Sophos), Backdoor.R2D2 (Symantec), Rootkit.R2D2.B (VirusBuster).
Explanation :
Trojan:Win32/R2d2.A!rootkit is a component of Backdoor:Win32/R2d2.A. It can delete or rename protected files, modify file properties and perform other actions.


Top

Trojan:Win32/R2d2.A!rootkit is a component of Backdoor:Win32/R2d2.A. It can delete or rename protected files, modify file properties and perform other actions.

Installation

This malware is installed by another process and may be present in the Windows system folder as the following:

    * %windir%\System32\winsys32.sys

The trojan executes as a service named "winsys32".

Payload
Performs file operations on protected files/modifies system dataThis malware is used by Backdoor:Win32/R2d2.A to perform the following actions:

    * Delete or rename protected files by modifying registry data in the following subkey:
          o HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperation
    * Modify other registry data
    * Modify file information properties of other files via the Windows kernel-mode driver support routine ZwSetInformationFile
    * Create or modify files
    * Link to \\Device\KeyboardClassC to capture keystrokes



Analysis by Jireh Sanico

0 comments: