MSIL/Restamdos [Threat Name] go to Threat
MSIL/Restamdos.AK [Threat Variant Name]
Category | trojan |
Size | 57344 B |
Aliases | Trojan.Win32.Jorik.Arcdoor.bke (Kaspersky) |
Trojan:Win32/Sisron (Microsoft) | |
Dropper.Msil.M (AVG) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %temp%\AutoStart.exe
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "Audio HD Driver" = "%temp%\AutoStart.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Audio HD Driver" = "%temp%\AutoStart.exe"
The following Registry entry is set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "Hidden" = 2
The trojan quits immediately if it is run within a debugger.
The trojan terminates its execution if it detects that it's running in a specific virtual environment.
The trojan quits immediately if it detects a running process containing one of the following strings in its name:
- cain.exe
- filemon.exe
- netmon.exe
- netstat.exe
- procmon.exe
- regmon.exe
- tcpview.exe
- wireshark.exe
After the installation is complete, the trojan deletes the original executable file.
Information stealing
MSIL/Restamdos.AK is a trojan that steals sensitive information.
The trojan collects the following information:
- login user names for certain applications/services
- login passwords for certain applications/services
- computer name
- operating system version
- country
The following programs are affected:
- Mozilla Firefox
- FileZilla
The trojan can send the information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- perform DoS/DDoS attacks
- update itself to a newer version
- uninstall itself
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USDER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "EnableBalloonTips" = 0
- [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
- "DisableCMD" = 2
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableRegistryTools" = 1
- "DisableTaskMgr" = 1
- "SetValue" = 0
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "SetValue" = 0
The trojan may execute the following commands:
- Netsh Advfirewall set Currentprofile State off
The trojan may display a fake error message:
Trojan requires the Microsoft .NET framework to run.