Win32/Rioselx [Threat Name] go to Threat

Win32/Rioselx.B [Threat Variant Name]

Category trojan
Size 208147 B
Detection created May 23, 2015
Detection database version 11674
Aliases Trojan:Win32/Bagsu!rfn (Microsoft)
  Trojan.PWS.Panda.7708 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %localappdata%\­Explorer\­explore.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "explorer" = "%localappdata%\­Explorer\­explore.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "Load" = "%localappdata%\­Explorer\­explore.exe"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "ConsentPromptBehaviorAdmin" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Policies\­Microsoft\­Windows\­WindowsUpdate\­AU]
    • "NoAutoUpdate" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Policies\­Microsoft\­Windows NT\­SystemRestore]
    • "DisableSR" = 1

The trojan executes the following files:

  • %malwarefilepath%
  • %windir%\­System32\­svchost.exe
  • %windir%\­explorer.exe
  • %windir%\­SysWOW64\­svchost.exe
  • %windir%\­SysWOW64\­explorer.exe

The trojan creates and runs a new thread with its own code within these running processes.


The trojan quits immediately if it is run within a debugger.


The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • ollydbg.exe
  • wireshark.exe
  • smsniff.exe
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (8) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • create Registry entries
  • update itself to a newer version
  • uninstall itself

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­SOFTWARE\­explorer\­id]
  • [HKEY_CURRENT_USER\­SOFTWARE\­explorer\­pcid]
  • [HKEY_CURRENT_USER\­SOFTWARE\­explorer\­mpid]
  • [HKEY_CURRENT_USER\­SOFTWARE\­explorer\­wpid]
  • [HKEY_CURRENT_USER\­SOFTWARE\­explorer\­mod]

Please enable Javascript to ensure correct displaying of this content and refresh this page.