Win32/Sumatrix [Threat Name] go to Threat

Win32/Sumatrix [Threat Variant Name]

Category trojan
Size 4608 B
Aliases BackDoor.Asylum.15 (Dr.Web)
  BackDoor-GN.trojan (McAfee)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %windir%\­rundIl32.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "a" = "%windir%\­rundIl32.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunServices]
    • "b" = "%windir%\­rundIl32.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "c" = "%windir%\­rundIl32.exe"

The trojan attempts to modify the following files:

  • %windir%\­system.ini
  • %windir%\­win.ini
Information stealing

Win32/Sumatrix is a trojan that steals sensitive information.

The trojan collects the following information:

  • computer name
  • computer IP address
  • operating system version

The trojan attempts to send gathered information to a remote machine.

The trojan contains a URL address. The HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The HTTP protocol is used.

The trojan opens TCP port 28592 .

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • shut down/restart the computer
  • sending various information about the infected computer

Please enable Javascript to ensure correct displaying of this content and refresh this page.