Short description
Win32/Vedrio.A installs a backdoor that can be controlled remotely. The file is run-time compressed using UPX .
Installation
When executed, the trojan creates the following files:
- %system%Rasmon.dll (90112 B)
- %windir%DFS.bat
The trojan registers itself as a system service using the following name:
The following Registry entries are created:
- [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
LEGACY_UPSWTS�000Control]
"*NewlyCreated*" = 0
"ActiveService" = "UpsWts"
- [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
LEGACY_UPSWTS�000]
- [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
LEGACY_UPSWTS�000Control]
"*NewlyCreated*" = 0
"ActiveService" = "UpsWts"
- [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
LEGACY_UPSWTS�000]
"Service" = "UpsWts"
"Legacy" = 1
"ConfigFlags" = 0
"Class" = "LegacyDriver"
"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc" = "UpsWts"
- [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
LEGACY_UPSWTS]
"NextInstance" = 1
- [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
RaS%random%Security]
"Security" = %hex_value%
- [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
RaS%random%Parameters]
"ServiceDll" = "%system%rasmon.dll"
- [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
RaS%random%]
"ErrorControl" = 0
"Start" = 2
"Type" = 32
"ImagePath" = "%system%svchost.exe -k netsvcs"
"ObjectName" = "LocalSystem"
This causes the trojan to be executed on every system start.
A string with variable content is used instead of %random% .
Other information
The trojan contains a backdoor.
The trojan is sent data and commands from a remote computer or the Internet.
The trojan connects to the following addresses:
- 360.homeunix.com (TCP:443)
- 192.168.5.164 (TCP:443)
It can execute the following operations:
- download files from a remote computer and/or Internet
- run executable files
- create Registry entries
- download files from a remote computer and/or Internet
- run executable files
- create Registry entries
- delete Registry entries
- remove itself from the infected computer
- send the list of disk devices and their type to a remote
computer
- terminate running processes
- send files to a remote computer
- set file attributes
- delete files
- shut down/restart the computer
- retrieve the CPU information
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINESoftwareSun1.1.2]
"AppleTlk" = "%variable1%"
- [HKEY_LOCAL_MACHINESoftwareSun1.1.2]
"IsoTp" = "%variable2%"
A string with variable content is used instead of %variable1%, %variable2% .
