Win32/Rovnix [Threat Name] go to Threat
Win32/Rovnix.R [Threat Variant Name]
| Category | trojan |
| Size | 157696 B |
| Aliases | PWS:Win32/Zbot.gen!AP (Microsoft) |
| Sf:Zbot-IB (Avast) |
Short description
The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.
Installation
The trojan does not create any copies of itself.
The following Registry entry is set:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
- "iexplore.exe" = 11001
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
- "Windows" = "%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,1536,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"
The trojan launches the following processes:
- %programfiles%\Internet Explorer\iexplore.exe
The trojan creates and runs a new thread with its own code within these running processes.
Information stealing
The trojan collects the following information:
- computer name
- operating system version
- information about the operating system and system settings
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (6) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- stop itself for a certain time period
- open a specific URL address
It can show advertisements.
The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.
The following programs are terminated:
- ctfmon.exe
The trojan hooks the following Windows APIs:
- PlaySoundA (winmm.dll)
- PlaySoundW (winmm.dll)
- waveOutWrite (winmm.dll)
- MessageBoxA (user32.dll)
- MessageBoxW (user32.dll)
- MessageBoxExA (user32.dll)
- MessageBoxExW (user32.dll)
- MessageBoxIndirectA (user32.dll)
- MessageBoxIndirectW (user32.dll)
- RegCloseKey (advapi32.dll)
- RegEnumKeyExA (advapi32.dll)
- RegEnumKeyExW (advapi32.dll)
- RegEnumValueA (advapi32.dll)
- RegEnumValueW (advapi32.dll)
- RegOpenKeyA (advapi32.dll)
- RegOpenKeyW (advapi32.dll)
- RegOpenKeyExA (advapi32.dll)
- RegOpenKeyExW (advapi32.dll)
- RegCreateKeyA (advapi32.dll)
- RegCreateKeyW (advapi32.dll)
- RegCreateKeyExA (advapi32.dll)
- RegCreateKeyExW (advapi32.dll)
- RegQueryInfoKeyA (advapi32.dll)
- RegQueryInfoKeyW (advapi32.dll)
- RegQueryValueExA (advapi32.dll)
- RegQueryValueExW (advapi32.dll)
- GetCursorInfo (user32.dll)
- GetMessagePos (user32.dll)
- GetCursorPos (user32.dll)
- SetCursorPos (user32.dll)
- GetMessageA (user32.dll)
- GetMessageW (user32.dll)
- PeekMessageA (user32.dll)
- PeekMessageW (user32.dll)
- InternetOpenA (wininet.dll)
- InternetOpenW (wininet.dll)
- NtCreateProcess (ntdll.dll)
- NtCreateProcessEx (ntdll.dll)
- NtCreateUserProcess (ntdll.dll)
- RtlCreateUserProcess (ntdll.dll)
The trojan keeps various information in the following Registry keys:
- [HKEY_CURRENT_USER\SOFTWARE\%variable1%\dynamicdata]
- [HKEY_CURRENT_USER\SOFTWARE\%variable2%\License]
- [HKEY_LOCAL_MACHINE\SOFTWARE\%variable1%\dynamicdata]
- [HKEY_LOCAL_MACHINE\SOFTWARE\%variable2%\License]
A string with variable content is used instead of %variable1-2% .