Win32/RDPdoor [Threat Name] go to Threat

Win32/RDPdoor.AA [Threat Variant Name]

Category trojan
Size 38944 B
Detection created Feb 16, 2011
Detection database version 5879
Aliases Trojan.Win32.Antavmu.kcf (Kaspersky)
  Generic.dx!ywr (McAfee)
Short description

Win32/RDPdoor.AA installs a backdoor that can be controlled remotely.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %system%\­ms%variable%.exe
  • %temp%\­ms%variable%.exe

The trojan registers itself as a system service using the following name:

  • Network Adapter Events

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­Network Adapter Events]
    • "Type" = 272
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "%malwarefolder%\­ms%variable%.exe /service"
    • "DisplayName" = "Network Adapter Events"
    • "ObjectName" = "LocalSystem"
    • "Description" = "Enables network event log messages issued by adapters and other virtual network components. This service cannot be stopped."

A string with variable content is used instead of %variable% .

Payload information

The trojan creates a new user account with the username:

  • TermUser

and the password:

  • TMPass32

The trojan adds the user TermUser to the following groups:

  • Administrators
  • Remote Desktop Users

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­SpecialAccounts\­UserList]
    • "TermUser" = 0

This way the trojan hides the created user account in listings of all accounts.


Win32/RDPdoor.AA installs the following software:

  • Thinsoft BeTwin

This way the trojan enables Remote Desktop connections on the infected system.


The trojan can change the user's logon password.

Other information

The trojan serves as a backdoor. It can be controlled remotely.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (1) URLs. The HTTP protocol is used.


The trojan collects the following information:

  • user name
  • login password
  • computer name
  • operating system version

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send gathered information

The trojan keeps various information in the following Registry key:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­TermServMonitor]

The trojan may create the following files:

  • %temp%\­tk%variable%.exe

A string with variable content is used instead of %variable% .


The trojan may turn off the computer.


The trojan disables various security related applications.


The following services are disabled:

  • BFE
  • Detector de OfficeScanNT
  • fsbts
  • FSDFWD
  • F-Secure Filter
  • F-Secure Gatekeeper Handler Starter
  • F-Secure Gatekeeper
  • F-Secure HIPS
  • F-Secure Recognizer
  • FSFW
  • FSMA
  • FSORSPClient
  • ISWKL
  • IswSvc
  • kl1
  • klif
  • klpf
  • klpid
  • kmxagent
  • kmxbig
  • kmxcfg
  • kmxfile
  • kmxfw
  • kmxids
  • kmxndis
  • kmxsbx
  • lnsfw1
  • McAfee Framework Service
  • MpsSvc
  • Norton Antivirus Service
  • OutpostFirewall
  • Panda Antivirus
  • sfilter
  • sharedaccess
  • SmcService
  • UmxAgent
  • UmxCfg
  • UmxLU
  • UmxPol
  • vsdatant
  • vsmon
  • WinDefend
  • ZoneAlarm

The following Registry entries are deleted:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Look 'n' Stop"
    • "Zone Labs Client"
    • "ZoneAlarm Client"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "GinaDLL"="xtgina.dll"

The following files are deleted:

  • %startup%\­Kaspersky Anti-Hacker.lnk

Please enable Javascript to ensure correct displaying of this content and refresh this page.