Win32/Flooder.Ramagedos [Threat Name] go to Threat

Win32/Flooder.Ramagedos.E [Threat Variant Name]

Category	trojan
Size	45056 B
Detection created	Dec 02, 2011
Detection database version	6678
Aliases	Trojan:Win32/Ontonphu.A (Microsoft)

The trojan serves as a backdoor. It can be controlled remotely. The trojan may perform DoS/DDoS attacks.

When executed, the trojan copies itself into the following location:

A string with variable content is used instead of %variable% .

The file is then executed.

In order to be executed on every system start, the trojan sets the following Registry entries:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable%" = "%appdata%\%variable%.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "%variable%" = "%appdata%\%variable%.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]
- "Shell" = "Explorer.exe,%appdata%\%variable%.exe"

The following Registry entries are created:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%variable%" = "%appdata%\%variable%.exe:*:%variable%"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%variable%" = "%appdata%\%variable%.exe:*:%variable%"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%variable%" = "%appdata%\%variable%.exe:*:%variable%"

The performed data entry creates an exception in the Windows Firewall program.

The trojan collects the following information:

The trojan attempts to send gathered information to a remote machine.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTP protocol is used.

It may perform the following actions: