Win32/Remexi [Threat Name] go to Threat
Win32/Remexi.A [Threat Variant Name]
Category | trojan |
Size | 84480 B |
Detection created | Dec 09, 2015 |
Detection database version | 12698 |
Aliases | Backdoor.Win32.Agent.doox (Kaspersky) |
Backdoor.Remexi.B (Symantec) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
The trojan is usually a part of other malware.
The trojan does not create any copies of itself.
The trojan may register itself as a system service using a random filename.
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\%malwarefilenamewithoutextension%\Parameters]
- "ServiceDll" = "%malwarefilepath%"
- "Arguments" = "%variable%"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SvcHost]
- "%malwarefilenamewithoutextension%" = "%malwarefilenamewithoutextension%"
This causes the trojan to be executed on every system start.
A string with variable content is used instead of %variable% .
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The TCP, HTTP protocol is used in the communication.
It can execute the following operations:
- execute shell commands
The trojan launches the following processes:
- cmd.exe
The trojan keeps various information in the following files:
- %temp%\win%variable%.tmp
A string with variable content is used instead of %variable% .