Win32/Redyms [Threat Name] go to Threat

Win32/Redyms.AA [Threat Variant Name]

Category trojan
Size 100352 B
Aliases Trojan.Win32.Redyms.e (Kaspersky)
  Trojan:Win32/Redyms.A (Microsoft)
Short description

Win32/Redyms.AA is a trojan that redirects results of online search engines to specific web sites. The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable1%\­%variable2%.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Adobe CSx Manager" = "%appdata%\­%variable1%\­%variable2%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%variable2%" = "%appdata%\­%variable1%\­%variable2%.exe"

A string with variable content is used instead of %variable1-2% .

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FeatureControl\­FEATURE_BROWSER_EMULATION]
    • "twunk_32.exe" = 32768
    • "winhlp32.exe" = 32768

The trojan creates and runs a new thread with its own program code in all running processes.

The trojan launches the following processes:

  • twunk_32.exe
  • winhlp32.exe

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • operating system version
  • information about the operating system and system settings

The trojan can send the information to a remote machine.

Other information

Win32/Redyms.AA is a trojan that redirects results of online search engines to specific web sites.

The trojan interferes with communication when any of the following sites is accessed:

  • **
  • **
  • **
  • **
  • **
  • **

The following programs are affected:

  • Avant Browser
  • Google Chrome
  • Internet Explorer
  • Maxthon
  • Mozilla Firefox
  • Netscape
  • Opera
  • Safari

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (8) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • create Registry entries
  • monitor network traffic
  • modify network traffic
  • modify website content
  • open a specific URL address

The trojan checks for Internet connectivity by trying to connect to the following servers:


The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­Adobe\­CSXS.2.5\­bCollab_tDocs]
  • [HKEY_CURRENT_USER\­Software\­Adobe\­CSXS.2.5\­bProofingSpace]

The trojan hooks the following Windows APIs:

  • DialogBoxIndirectParamAorW (user32.dll)
  • GetCursorPos (user32.dll)
  • waveOutOpen (winmm.dll)
  • WSPCloseSocket (mswsock.dll)
  • WSPRecv (mswsock.dll)
  • WSPSend (mswsock.dll)
  • ZwResumeThread (ntdll.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.