Win32/Vedrio [Threat Name] go to Threat

Win32/Vedrio.A [Threat Variant Name]

Category trojan
Size 34816 B
Detection created Jan 21, 2010
Detection database version 4795
Aliases Trojan.Win32.Genome.epoy (Kaspersky)
  Trojan.Hydraq (Symantec)
  Roarur.dr (McAfee)
Short description

Win32/Vedrio.A installs a backdoor that can be controlled remotely. The file is run-time compressed using UPX .

Installation

When executed, the trojan creates the following files:

  • %system%\­Rasmon.dll (90112 B)
  • %windir%\­DFS.bat

The trojan registers itself as a system service using the following name:

  • UpsWts

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_UPSWTS\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "UpsWts"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_UPSWTS\­0000]
    • "Service" = "UpsWts"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "UpsWts"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_UPSWTS]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­RaS%random%\­Security]
    • "Security" = %hex_value%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­RaS%random%\­Parameters]
    • "ServiceDll" = "%system%\­rasmon.dll"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­RaS%random%]
    • "ErrorControl" = 0
    • "Start" = 2
    • "Type" = 32
    • "ImagePath" = "%system%\­svchost.exe -k netsvcs"
    • "ObjectName" = "LocalSystem"

This causes the trojan to be executed on every system start.


A string with variable content is used instead of %random% .

Other information

The trojan contains a backdoor.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan connects to the following addresses:

  • 360.homeunix.com (TCP:443)
  • 192.168.5.164 (TCP:443)

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • create Registry entries
  • delete Registry entries
  • remove itself from the infected computer
  • send the list of disk devices and their type to a remote computer
  • terminate running processes
  • send files to a remote computer
  • set file attributes
  • delete cookies
  • shut down/restart the computer
  • retrieve CPU information

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Sun\­1.1.2]
    • "AppleTlk" = "%variable1%"
  • [HKEY_LOCAL_MACHINE\­Software\­Sun\­1.1.2]
    • "IsoTp" = "%variable2%"

A string with variable content is used instead of %variable1%, %variable2% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.