MSIL/Restamdos [Threat Name] go to Threat

MSIL/Restamdos.AK [Threat Variant Name]

Category trojan
Size 57344 B
Detection created Feb 02, 2013
Detection database version 7963
Aliases Trojan.Win32.Jorik.Arcdoor.bke (Kaspersky)
  Trojan:Win32/Sisron (Microsoft)
  Dropper.Msil.M (AVG)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %temp%\­AutoStart.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Audio HD Driver" = "%temp%\­AutoStart.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Audio HD Driver" = "%temp%\­AutoStart.exe"

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2

The trojan quits immediately if it is run within a debugger.


The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • cain.exe
  • filemon.exe
  • netmon.exe
  • netstat.exe
  • procmon.exe
  • regmon.exe
  • tcpview.exe
  • wireshark.exe

After the installation is complete, the trojan deletes the original executable file.

Information stealing

MSIL/Restamdos.AK is a trojan that steals sensitive information.


The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • computer name
  • operating system version
  • country

The following programs are affected:

  • Mozilla Firefox
  • FileZilla

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • perform DoS/DDoS attacks
  • update itself to a newer version
  • uninstall itself

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USDER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "EnableBalloonTips" = 0
  • [HKEY_CURRENT_USER\­Software\­Policies\­Microsoft\­Windows\­System]
    • "DisableCMD" = 2
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = 1
    • "DisableTaskMgr" = 1
    • "SetValue" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "SetValue" = 0

The trojan may execute the following commands:

  • Netsh Advfirewall set Currentprofile State off

The trojan may display a fake error message:

Trojan requires the Microsoft .NET framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.