Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Rodecap.AA

Aliases:Trojan.Win32.Scar.bklu (Kaspersky), Trojan:Win32/Rodecap.A (Microsoft), Downloader (Symantec) 
Type of infiltration:Trojan  
Size:95232 B 
Affected platforms:Microsoft Windows 
Signature database version:4876 (20100218) 

Short description

Win32/Rodecap.AA is a trojan which tries to download other malware from the Internet. It can be controlled remotely.

Installation

The trojan may create copies of itself in the folder:
  • %temp%
  • %appdata%
  • %appdata%microsoft
  • %localappdata%
  • %windir%
  • %system%
  • %temp%
  • %appdata%
  • %appdata%microsoft
  • %localappdata%
  • %windir%
  • %system%
  • %system%drivers
Its filename may be one of the following:
  • cisvc.exe
  • clipsrv.exe
  • cmstp.exe
  • comrepl.exe
  • dllhst3g.exe
  • esentutl.exe
  • cisvc.exe
  • clipsrv.exe
  • cmstp.exe
  • comrepl.exe
  • dllhst3g.exe
  • esentutl.exe
  • ieudinit.exe
  • logman.exe
  • mqtgsvc.exe
  • mstinit.exe
  • mstsc.exe
  • rsvp.exe
  • sessmgr.exe
  • spoolsv.exe
The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    PoliciesExplorerRun]
    "%variable%" = "%malwarepath% /waitservice"
  • [HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion
    PoliciesExplorerRun]
    "%variable%" = "%malwarepath% /waitservice"
  • [HKEY_CURRENT_USER.DEFAULTSoftwareMicrosoftWindows
    CurrentVersionPoliciesExplorerRun]
    "%variable%" = "%malwarepath% /waitservice"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    PoliciesExplorerRun]
    "%variable%" = "%malwarepath% /waitservice"
  • [HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion
    PoliciesExplorerRun]
    "%variable%" = "%malwarepath% /waitservice"
  • [HKEY_CURRENT_USER.DEFAULTSoftwareMicrosoftWindows
    CurrentVersionPoliciesExplorerRun]
    "%variable%" = "%malwarepath% /waitservice"
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersion
    Windowsload]
    "%variable%" = "%malwarepath% /waitservice"
This causes the trojan to be executed on every system start.

The %variable% is one of the following strings:
  • DllHst
  • ComRepl
  • CmSTP
  • ClipSrv
  • Esent Utl
  • Cisvc
  • DllHst
  • ComRepl
  • CmSTP
  • ClipSrv
  • Esent Utl
  • Cisvc
  • Mstsc
  • MstInit
  • MqtgSVC
  • rsvp
  • SessMgr
  • Spool
  • IEudinit
  • Logman

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The trojan can download and execute a file from the Internet. The HTTP protocol is used.