Win32/Flooder.Ramagedos [Threat Name] go to Threat
Win32/Flooder.Ramagedos.E [Threat Variant Name]
Category | trojan |
Size | 45056 B |
Detection created | Dec 02, 2011 |
Detection database version | 6678 |
Aliases | Trojan:Win32/Ontonphu.A (Microsoft) |
Short description
The trojan serves as a backdoor. It can be controlled remotely. The trojan may perform DoS/DDoS attacks.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\%variable%.exe
A string with variable content is used instead of %variable% .
The file is then executed.
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable%" = "%appdata%\%variable%.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "%variable%" = "%appdata%\%variable%.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]
- "Shell" = "Explorer.exe,%appdata%\%variable%.exe"
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%variable%" = "%appdata%\%variable%.exe:*:%variable%"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%variable%" = "%appdata%\%variable%.exe:*:%variable%"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%variable%" = "%appdata%\%variable%.exe:*:%variable%"
The performed data entry creates an exception in the Windows Firewall program.
Information stealing
The trojan collects the following information:
- operating system version
- volume serial number
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (3) URLs. The HTTP protocol is used.
It may perform the following actions:
- perform DoS/DDoS attacks
- send gathered information