Win32/Rustock [Threat Name] go to Threat

Win32/Rustock.NJN [Threat Variant Name]

Category trojan
Size 116044 B
Detection created Jun 29, 2009
Detection database version 4196
Aliases Backdoor.Win32.NewRest.ao (Kaspersky)
  Backdoor:WinNT/Rustock.AN (Microsoft)
  Backdoor.Rustock.B (Symantec)
  Win32:Zeroot-B (Avast)
  Win32/Rustock.N.virus (AVG)
Short description

Win32/Rustock.NJN is a trojan that is used for spam distribution. The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan is usually a part of other malware. The trojan is usually found in the following folder:

  • %system%\­drivers\­

The following filename is used:

  • %variable1%.sys

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable1%]
    • "ImagePath" = "%system%\­drivers\­%variable1%.sys"
    • "Type" = 1
    • "Start" = 1
    • "ErrorControl" = 1
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services]
    • "ExtParamD" = %variable2%

A string with variable content is used instead of %variable1-2% .


The trojan creates and runs a new thread with its own program code within the following processes:

  • services.exe

The following services are disabled:

  • Background Intelligent Transfer Service
  • Windows Update
Other information

Win32/Rustock.NJN is a trojan that is used for spam distribution.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of 13 URLs. The trojan generates various URL addresses. The HTTP, SMTP protocol is used.


It can execute the following operations:

  • send spam
  • update itself to a newer version
  • download files from a remote computer and/or the Internet
  • run executable files
  • uninstall itself
  • monitor network traffic
  • shut down/restart the computer

The trojan hooks the following Windows APIs:

  • ZwOpenKey (ntdll.dll)
  • ZwCreateKey (ntdll.dll)
  • ZwCreateEvent (ntdll.dll)
  • TCPDispatchInternalDeviceControl (tcpip.sys)

The trojan hides its presence in the system. It uses techniques common for rootkits.

Please enable Javascript to ensure correct displaying of this content and refresh this page.