Virus:TR/Rincux.AW
Date discovered:18/02/2009
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:135.168 Bytes
MD5 checksum:5dcfaaef2dedd8280a9d5dbe7b888a2b
IVDF version:7.01.02.40 - Wednesday, February 18, 2009

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Backdoor.Win32.Agent.adxk
   •  Grisoft: Agent.AZKT
   •  Eset: Win32/Agent.NVO
   •  Bitdefender: Trojan.Rincux.AW


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Registry modification
   • Steals information

 Files It deletes the initially executed copy of itself.



The following file is created:

%SYSDIR%\winnet.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/Agent.adxk

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   System]
   • DllName="%SYSDIR%\winnet.dll"
   • Startup="LFStartup"
   • Shutdown="LFShutdown"
   • Asynchronous=dword:00000001
   • Impersonate=dword:00000000

 Backdoor Contact server:
The following:
   • jiaozhu**********.9966.org:443

As a result it may send some information.

Sends information about:
    • Computer name
    • CPU type
    • Hardware
    • Username
    • Information about the Windows operating system

 Injection – It injects itself into a process.

    Process name:
   • iexplore.exe


Description inserted by Andreas Feuerstein on Wednesday, February 18, 2009
Description updated by Robert Harja Iliescu on Friday, February 27, 2009

Back . . . .