Win64/Remexi [Threat Name] go to Threat

Win64/Remexi.A [Threat Variant Name]

Category trojan
Size 211968 B
Detection created Dec 09, 2015
Detection database version 12698
Aliases Backdoor.Win64.Agent.kf (Kaspersky)
  Backdoor.Remexi.B (Symantec)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan is usually a part of other malware.


The trojan does not create any copies of itself.


The trojan may register itself as a system service using a random filename.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­%malwarefilenamewithoutextension%\­Parameters]
    • "ServiceDll" = "%malwarefilepath%"
    • "Arguments" = "%variable%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­SvcHost]
    • "%malwarefilenamewithoutextension%" = "%malwarefilenamewithoutextension%"

This causes the trojan to be executed on every system start.


A string with variable content is used instead of %variable% .

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The TCP, HTTP protocol is used in the communication.


It can execute the following operations:

  • execute shell commands

The trojan launches the following processes:

  • cmd.exe

The trojan keeps various information in the following files:

  • %temp%\­TS_%variable%.tmp

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.