Win32/Radonskra [Threat Name] go to Threat

Win32/Radonskra.AA [Threat Variant Name]

Category trojan
Size 357376 B
Aliases Trojan.Win32.Rulbar.g (Kaspersky)
  Trojan:Win32/Radonskra.A (Microsoft)
Short description

Win32/Radonskra.AA is a trojan used for delivery of unsolicited advertisements.

Installation

When executed, the trojan copies itself into the following location:

  • %localappdata%\­Microsoft\­Windows\­system.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SystemScript" = "%localappdata\­Microsoft\­Windows\­system.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SystemScript" = "%localappdata\­Microsoft\­Windows\­system.exe"

The trojan installs browser extensions for the following browsers:

  • Mozilla Firefox
  • Google Chrome
  • Opera
  • Yandex
  • Amigo

The trojan may create the following files:

  • %appdata%\­Mozilla\­Firefox\­Profiles\­%user%\­extensions\­{e4a8a97b-f2ed-450b-b12d-ee082ba24782}.xpi
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%user%\­gmr_scripts\­config.xml
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%user%\­gmr_scripts\­content.user.js
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Extensions\­nlgdemkdapolikbjimjajpmonpbpmipk\­1.0_0\­background.js
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Extensions\­nlgdemkdapolikbjimjajpmonpbpmipk\­1.0_0\­contentscript.js
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Extensions\­nlgdemkdapolikbjimjajpmonpbpmipk\­1.0_0\­manifest.json
  • %appdata%\­Opera Software\­Opera Stable\­Extensions\­nlgdemkdapolikbjimjajpmonpbpmipk\­1.0_0\­background.js
  • %appdata%\­Opera Software\­Opera Stable\­Extensions\­nlgdemkdapolikbjimjajpmonpbpmipk\­1.0_0\­contentscript.js
  • %appdata%\­Opera Software\­Opera Stable\­Extensions\­nlgdemkdapolikbjimjajpmonpbpmipk\­1.0_0\­manifest.json
  • %appdata%\­Opera Software\­Opera Next\­Extensions\­nlgdemkdapolikbjimjajpmonpbpmipk\­1.0_0\­background.js
  • %appdata%\­Opera Software\­Opera Next\­Extensions\­nlgdemkdapolikbjimjajpmonpbpmipk\­1.0_0\­contentscript.js
  • %appdata%\­Opera Software\­Opera Next\­Extensions\­nlgdemkdapolikbjimjajpmonpbpmipk\­1.0_0\­manifest.json
  • %localappdata%\­Yandex\­YandexBrowser\­User Data\­Default\­Extensions\­nlgdemkdapolikbjimjajpmonpbpmipk\­1.0_0\­background.js
  • %localappdata%\­Yandex\­YandexBrowser\­User Data\­Default\­Extensions\­nlgdemkdapolikbjimjajpmonpbpmipk\­1.0_0\­contentscript.js
  • %localappdata%\­Yandex\­YandexBrowser\­User Data\­Default\­Extensions\­nlgdemkdapolikbjimjajpmonpbpmipk\­1.0_0\­manifest.json
  • %localappdata%\­Amigo\­User Data\­Default\­Extensions\­nlgdemkdapolikbjimjajpmonpbpmipk\­1.0_0\­background.js
  • %localappdata%\­Amigo\­User Data\­Default\­Extensions\­nlgdemkdapolikbjimjajpmonpbpmipk\­1.0_0\­contentscript.js
  • %localappdata%\­Amigo\­User Data\­Default\­Extensions\­nlgdemkdapolikbjimjajpmonpbpmipk\­1.0_0\­manifest.json

The trojan can modify the following files:

  • %appdata%\­Mozilla\­Firefox\­Profiles\­%user%\­prefs.js
  • %appdata%\­Opera Software\­Opera Stable\­Preferences
  • %appdata%\­Opera Software\­Opera Next\­Preferences
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Secure Preferences
  • %localappdata%\­Yandex\­YandexBrowser\­User Data\­Default\­Preferences
  • %localappdata%\­Amigo\­User Data\­Default\­Extension Data
Other information

Win32/Radonskra.AA is a trojan used for delivery of unsolicited advertisements.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


The trojan displays dialogs within the Internet browser with various advertisements.

Please enable Javascript to ensure correct displaying of this content and refresh this page.