Win32/Rovnix [Threat Name] go to Threat

Win32/Rovnix.R [Threat Variant Name]

Category trojan
Size 157696 B
Detection created Jun 02, 2014
Detection database version 9879
Aliases PWS:Win32/Zbot.gen!AP (Microsoft)
  Sf:Zbot-IB (Avast)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.

Installation

The trojan does not create any copies of itself.


The following Registry entry is set:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­Main\­FeatureControl\­FEATURE_BROWSER_EMULATION]
    • "iexplore.exe" = 11001

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Session Manager\­SubSystems]
    • "Windows" = "%SystemRoot%\­system32\­csrss.exe ObjectDirectory=\­Windows SharedSection=1024,1536,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"

The trojan launches the following processes:

  • %programfiles%\­Internet Explorer\­iexplore.exe

The trojan creates and runs a new thread with its own code within these running processes.

Information stealing

The trojan collects the following information:

  • computer name
  • operating system version
  • information about the operating system and system settings

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (6) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • stop itself for a certain time period
  • open a specific URL address

It can show advertisements.


The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The following programs are terminated:

  • ctfmon.exe

The trojan hooks the following Windows APIs:

  • PlaySoundA (winmm.dll)
  • PlaySoundW (winmm.dll)
  • waveOutWrite (winmm.dll)
  • MessageBoxA (user32.dll)
  • MessageBoxW (user32.dll)
  • MessageBoxExA (user32.dll)
  • MessageBoxExW (user32.dll)
  • MessageBoxIndirectA (user32.dll)
  • MessageBoxIndirectW (user32.dll)
  • RegCloseKey (advapi32.dll)
  • RegEnumKeyExA (advapi32.dll)
  • RegEnumKeyExW (advapi32.dll)
  • RegEnumValueA (advapi32.dll)
  • RegEnumValueW (advapi32.dll)
  • RegOpenKeyA (advapi32.dll)
  • RegOpenKeyW (advapi32.dll)
  • RegOpenKeyExA (advapi32.dll)
  • RegOpenKeyExW (advapi32.dll)
  • RegCreateKeyA (advapi32.dll)
  • RegCreateKeyW (advapi32.dll)
  • RegCreateKeyExA (advapi32.dll)
  • RegCreateKeyExW (advapi32.dll)
  • RegQueryInfoKeyA (advapi32.dll)
  • RegQueryInfoKeyW (advapi32.dll)
  • RegQueryValueExA (advapi32.dll)
  • RegQueryValueExW (advapi32.dll)
  • GetCursorInfo (user32.dll)
  • GetMessagePos (user32.dll)
  • GetCursorPos (user32.dll)
  • SetCursorPos (user32.dll)
  • GetMessageA (user32.dll)
  • GetMessageW (user32.dll)
  • PeekMessageA (user32.dll)
  • PeekMessageW (user32.dll)
  • InternetOpenA (wininet.dll)
  • InternetOpenW (wininet.dll)
  • NtCreateProcess (ntdll.dll)
  • NtCreateProcessEx (ntdll.dll)
  • NtCreateUserProcess (ntdll.dll)
  • RtlCreateUserProcess (ntdll.dll)

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­SOFTWARE\­%variable1%\­dynamicdata]
  • [HKEY_CURRENT_USER\­SOFTWARE\­%variable2%\­License]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­%variable1%\­dynamicdata]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­%variable2%\­License]

A string with variable content is used instead of %variable1-2% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.