TR/Rincux.AW - Trojan

See also

Summary

Full description

Statistics

Virus:	TR/Rincux.AW
Date discovered:	18/02/2009
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low
Static file:	Yes
File size:	135.168 Bytes
MD5 checksum:	5dcfaaef2dedd8280a9d5dbe7b888a2b
IVDF version:	7.01.02.40 - Wed, 18 Feb 2009 10:41 (GMT+1)

General Method of propagation:
   • No own spreading routine

Aliases:
   • Kaspersky: Backdoor.Win32.Agent.adxk
   • Grisoft: Agent.AZKT
   • Eset: Win32/Agent.NVO
   • Bitdefender: Trojan.Rincux.AW

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops a malicious file
   • Registry modification
   • Steals information

Files It deletes the initially executed copy of itself.

The following file is created:

– %SYSDIR%\winnet.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/Agent.adxk

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   System]
   • DllName="%SYSDIR%\winnet.dll"
   • Startup="LFStartup"
   • Shutdown="LFShutdown"
   • Asynchronous=dword:00000001
   • Impersonate=dword:00000000

Backdoor Contact server:
The following:
   • jiaozhu**********.9966.org:443

As a result it may send some information.

Sends information about:
    • Computer name
    • CPU type
    • Hardware
    • Username
    • Information about the Windows operating system

Injection – It injects itself into a process.

Process name:
• iexplore.exe

See a brief description here.

Description inserted by Andreas Feuerstein on Wed, 18 Feb 2009 09:29 (GMT+1)
Description updated by Robert Harja Iliescu on Fri, 27 Feb 2009 15:31 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back