Win32/Flooder.Ramagedos [Threat Name] go to Threat

Win32/Flooder.Ramagedos.E [Threat Variant Name]

Category trojan
Size 45056 B
Aliases Trojan:Win32/Ontonphu.A (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan may perform DoS/DDoS attacks.


When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable%.exe

A string with variable content is used instead of %variable% .

The file is then executed.

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%appdata%\­%variable%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%variable%" = "%appdata%\­%variable%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Shell]
    • "Shell" = "Explorer.exe,%appdata%\­%variable%.exe"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%variable%" = "%appdata%\­%variable%.exe:*:%variable%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%variable%" = "%appdata%\­%variable%.exe:*:%variable%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet002\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%variable%" = "%appdata%\­%variable%.exe:*:%variable%"

The performed data entry creates an exception in the Windows Firewall program.

Information stealing

The trojan collects the following information:

  • operating system version
  • volume serial number

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTP protocol is used.

It may perform the following actions:

  • perform DoS/DDoS attacks
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.