Win32/Rodecap [Threat Name] go to Threat

Win32/Rodecap.AA [Threat Variant Name]

Category trojan
Size 95232 B
Detection created Feb 18, 2010
Detection database version 4876
Aliases Trojan.Win32.Scar.bklu (Kaspersky)
  Trojan:Win32/Rodecap.A (Microsoft)
  Downloader (Symantec)
Short description

Win32/Rodecap.AA is a trojan which tries to download other malware from the Internet. It can be controlled remotely.

Installation

The trojan may create copies of itself in the folder:

  • %temp%
  • %appdata%
  • %appdata%\­microsoft
  • %localappdata%
  • %windir%
  • %system%
  • %system%\­drivers

Its filename may be one of the following:

  • cisvc.exe
  • clipsrv.exe
  • cmstp.exe
  • comrepl.exe
  • dllhst3g.exe
  • esentutl.exe
  • ieudinit.exe
  • logman.exe
  • mqtgsvc.exe
  • mstinit.exe
  • mstsc.exe
  • rsvp.exe
  • sessmgr.exe
  • spoolsv.exe

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%variable%" = "%malwarepath% /waitservice"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%variable%" = "%malwarepath% /waitservice"
  • [HKEY_CURRENT_USER\­.DEFAULT\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%variable%" = "%malwarepath% /waitservice"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows\­load]
    • "%variable%" = "%malwarepath% /waitservice"

This causes the trojan to be executed on every system start.


The %variable% is one of the following strings:

  • DllHst
  • ComRepl
  • CmSTP
  • ClipSrv
  • Esent Utl
  • Cisvc
  • Mstsc
  • MstInit
  • MqtgSVC
  • rsvp
  • SessMgr
  • Spool
  • IEudinit
  • Logman
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The trojan can download and execute a file from the Internet. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.