Win32/Rustock [Threat Name] go to Threat
Win32/Rustock.NJN [Threat Variant Name]
| Category | trojan |
| Size | 116044 B |
| Aliases | Backdoor.Win32.NewRest.ao (Kaspersky) |
| Backdoor:WinNT/Rustock.AN (Microsoft) | |
| Backdoor.Rustock.B (Symantec) | |
| Win32:Zeroot-B (Avast) | |
| Win32/Rustock.N.virus (AVG) |
Short description
Win32/Rustock.NJN is a trojan that is used for spam distribution. The trojan serves as a backdoor. It can be controlled remotely.
Installation
The trojan is usually a part of other malware. The trojan is usually found in the following folder:
- %system%\drivers\
The following filename is used:
- %variable1%.sys
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%variable1%]
- "ImagePath" = "%system%\drivers\%variable1%.sys"
- "Type" = 1
- "Start" = 1
- "ErrorControl" = 1
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services]
- "ExtParamD" = %variable2%
A string with variable content is used instead of %variable1-2% .
The trojan creates and runs a new thread with its own program code within the following processes:
- services.exe
The following services are disabled:
- Background Intelligent Transfer Service
- Windows Update
Other information
Win32/Rustock.NJN is a trojan that is used for spam distribution.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of 13 URLs. The trojan generates various URL addresses. The HTTP, SMTP protocol is used.
It can execute the following operations:
- send spam
- update itself to a newer version
- download files from a remote computer and/or the Internet
- run executable files
- uninstall itself
- monitor network traffic
- shut down/restart the computer
The trojan hooks the following Windows APIs:
- ZwOpenKey (ntdll.dll)
- ZwCreateKey (ntdll.dll)
- ZwCreateEvent (ntdll.dll)
- TCPDispatchInternalDeviceControl (tcpip.sys)
The trojan hides its presence in the system. It uses techniques common for rootkits.