Win32/Rovnix [Threat Name] go to Threat

Win32/Rovnix.A [Threat Variant Name]

Available cleaner [Download Rovnix Cleaner ]

Category trojan
Size 182784 B
Detection created Jun 17, 2011
Signature database version 6215
Aliases Trojan:Win32/Sisproc (Microsoft)
  BackDoor-CEP (McAfee)
Short description

Win32/Rovnix.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:

  • %variable%.log (77824 B)
  • %variable%.sys (38528 B)
  • c:\­%variable%.bat

Installs the following system drivers:

  • %variable%.sys

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_%variable%.SYS\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "%variable%.sys"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_%variable%.SYS\­0000]
    • "Service" = "%variable%.sys"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "%variable%.sys"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_%variable%.SYS]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable%.sys\­Enum]
    • "0" = "Root\­LEGACY_%variable%.SYS\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable%.sys\­Security]
    • "Security" = "%hexvalue%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable%.sys]
    • "Type" = 1
    • "Start" = 4
    • "ErrorControl" = 1
    • "ImagePath" = "%system%\­%variable%.sys"
    • "DisplayName" = "%variable%.sys"
    • "DeleteFlag" = 1
  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­{2EB8B042-32B9-3CC4-9653-2A3738FDEC81}]
    • "ID" =  "%hexvalue%"
    • "Group" = 1016
    • "Config" = "%hexvalue%"

A string with variable content is used instead of %variable% .


Win32/Rovnix.A replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.


The trojan may create and run a new thread with its own program code within any running process.


After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan collects various information when a certain application is being used.


The trojan collects information related to the following applications:

  • explorer.exe
  • iexplorer.exe
  • firefox.exe
  • chrome.exe
  • opera.exe
  • safari.exe

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


The trojan hooks the following Windows APIs:

  • InternetReadFile (Wininet.dll)
  • InternetReadFileExA (Wininet.dll)
  • InternetReadFileExW (Wininet.dll)
  • HttpSendRequestA (Wininet.dll)
  • HttpSendRequestW (Wininet.dll)
  • InternetQueryDataAvailable (Wininet.dll)
  • InternetConnectA (Wininet.dll)
  • InternetConnectW (Wininet.dll)
  • HttpOpenRequestA (Wininet.dll)
  • HttpOpenRequestW (Wininet.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.