Win32/Rodecap [Threat Name] go to Threat
Win32/Rodecap.AA [Threat Variant Name]
| Category | trojan |
| Size | 95232 B |
| Aliases | Trojan.Win32.Scar.bklu (Kaspersky) |
| Trojan:Win32/Rodecap.A (Microsoft) | |
| Downloader (Symantec) |
Short description
Win32/Rodecap.AA is a trojan which tries to download other malware from the Internet. It can be controlled remotely.
Installation
The trojan may create copies of itself in the folder:
- %temp%
- %appdata%
- %appdata%\microsoft
- %localappdata%
- %windir%
- %system%
- %system%\drivers
Its filename may be one of the following:
- cisvc.exe
- clipsrv.exe
- cmstp.exe
- comrepl.exe
- dllhst3g.exe
- esentutl.exe
- ieudinit.exe
- logman.exe
- mqtgsvc.exe
- mstinit.exe
- mstsc.exe
- rsvp.exe
- sessmgr.exe
- spoolsv.exe
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "%variable%" = "%malwarepath% /waitservice"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "%variable%" = "%malwarepath% /waitservice"
- [HKEY_CURRENT_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "%variable%" = "%malwarepath% /waitservice"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\load]
- "%variable%" = "%malwarepath% /waitservice"
This causes the trojan to be executed on every system start.
The %variable% is one of the following strings:
- DllHst
- ComRepl
- CmSTP
- ClipSrv
- Esent Utl
- Cisvc
- Mstsc
- MstInit
- MqtgSVC
- rsvp
- SessMgr
- Spool
- IEudinit
- Logman
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (3) URLs. The trojan can download and execute a file from the Internet. The HTTP protocol is used.