Win32/Redyms [Threat Name] go to Threat
Win32/Redyms.AA [Threat Variant Name]
| Category | trojan |
| Size | 100352 B |
| Aliases | Trojan.Win32.Redyms.e (Kaspersky) |
| Trojan:Win32/Redyms.A (Microsoft) |
Short description
Win32/Redyms.AA is a trojan that redirects results of online search engines to specific web sites. The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\%variable1%\%variable2%.exe
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Adobe CSx Manager" = "%appdata%\%variable1%\%variable2%.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "%variable2%" = "%appdata%\%variable1%\%variable2%.exe"
A string with variable content is used instead of %variable1-2% .
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
- "twunk_32.exe" = 32768
- "winhlp32.exe" = 32768
The trojan creates and runs a new thread with its own program code in all running processes.
The trojan launches the following processes:
- twunk_32.exe
- winhlp32.exe
After the installation is complete, the trojan deletes the original executable file.
Information stealing
The trojan collects the following information:
- operating system version
- information about the operating system and system settings
The trojan can send the information to a remote machine.
Other information
Win32/Redyms.AA is a trojan that redirects results of online search engines to specific web sites.
The trojan interferes with communication when any of the following sites is accessed:
- *.ask.com*
- *search.aol.*
- *search.xxx*
- *search.yahoo.*
- *www.bing.com*
- *www.google.*
The following programs are affected:
- Avant Browser
- Google Chrome
- Internet Explorer
- Maxthon
- Mozilla Firefox
- Netscape
- Opera
- Safari
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (8) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- create Registry entries
- monitor network traffic
- modify network traffic
- modify website content
- open a specific URL address
The trojan checks for Internet connectivity by trying to connect to the following servers:
- http://www.microsoft.com
The trojan keeps various information in the following Registry keys:
- [HKEY_CURRENT_USER\Software\Adobe\CSXS.2.5\bCollab_tDocs]
- [HKEY_CURRENT_USER\Software\Adobe\CSXS.2.5\bProofingSpace]
The trojan hooks the following Windows APIs:
- DialogBoxIndirectParamAorW (user32.dll)
- GetCursorPos (user32.dll)
- waveOutOpen (winmm.dll)
- WSPCloseSocket (mswsock.dll)
- WSPRecv (mswsock.dll)
- WSPSend (mswsock.dll)
- ZwResumeThread (ntdll.dll)