Win32/Spy.Rehtesyk [Threat Name] go to Threat

Win32/Spy.Rehtesyk.A [Threat Variant Name]

Category trojan
Size 172826 B
Detection created Aug 13, 2014
Detection database version 10250
Aliases (Kaspersky)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using NSIS .


When executed, the trojan copies itself into the following location:

  • %appdata%\­Microsoft\­sccvhost.exe

The trojan creates the following files:

  • %temp%\­xyxwHyCzRsCA (81920 B)
  • %temp%\­%variable%\­BxaKjLsFfANw.dll (96256 B, Win32/Injector.BLBA)

A string with variable content is used instead of %variable% .

The trojan may create the following files:

  • %systemdrive%\­Documents and Settings\­All Users\­Start Menu\­Programs\­Startup\­Microsoft Update.lnk
  • %appdata%\­Microsoft\­Windows\­Start Menu\­Programs\­Startup\­Microsoft Update.lnk

The file is a shortcut to a malicious file.

This causes the trojan to be executed on every system start.

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "2500" = 3

The trojan creates and runs a new thread with its own program code within the following processes:

  • %skypepath%
  • %iexplorepath%
  • C:\­Program Files (x86)\­Internet Explorer\­iexplore.exe

Instead of %skypepath% , the value(s) are taken from the following Registry entry:

  • [HKEY_CLASSES_ROOT\­skype\­shell\­open\­command]

Instead of %iexplorepath% , the value(s) are taken from the following Registry entry:

  • [HKEY_CLASSES_ROOT\­Applications\­iexplore.exe\­shell\­open\­command]
Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • set up a proxy server
  • update itself to a newer version
  • uninstall itself

Please enable Javascript to ensure correct displaying of this content and refresh this page.