Installation
Win32/Redyms makes the following changes to the registry to ensure that it runs each time you start your computer:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: <random letters>, for example "feddfcfbac"
With data: <moved file>, for example, "%APPDATA%\7f5ed85d-6828-4f92-858c-f40b0ac6813879\feddfcfbac.exe"
When it runs, Win32/Redyms injects itself in to every running process and hooks the following function, so that when a new process is created, it can inject itself into the new process:
ntdll!ZwResumeThread
Payload
Redirects search results
The trojan redirects search results if it observes you using a browser containing any of the following strings in the URL:
-
.ask.com
-
search.aol.
-
search.icq.com
-
search.xxx
-
search.yahoo.
-
www.alexa.com
-
www.bing.com
-
www.google.
-
www.wiki.com
-
www.yandex.com
For more information about how it does this, please see the Additional information section below.
Contacts remote hosts
Win32/Redyms tries to connect to www.microsoft.com to check if current your computer is online.
If it confirms an Internet connection, it may contact the URL "fsepzqgv-osvxg.net/fsepzqgv.php".
Commonly, malware may contact a remote host for the following purposes:
- To confirm Internet connectivity
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
Additional information
Win32/Redyms creates mutexes such as the following to ensure that only one copy of the trojan is running on your computer at any one time:
"Global\sw-<injected process id>", for example "Global\sw-71c"
In every injected process it creates mutex named as "Global\<random GUID>-ffffffff", for example "Global\7f5ed85d-6828-4f92-858c-f40b0ac6813879-ffffffff".
It checks your Internet traffic by hooking the following Windows functions:
-
mswsock!WSPCloseSocket
-
mswsock!WSPRecv
-
mswsock!WSPSend
As part of its search redirect payload, Win32/Redyms injects itself into every running process. If checks if the process name contains any of the following strings, which indicates it may be a browser:
-
avant
-
browser
-
chrome
-
firefox
-
iexplo
-
maxthon
-
mozill
-
netsc
-
opera
-
safari
If the trojan runs in the explorer.exe process, it moves itself to %APPDATA%\<random GUID>\<random letters>.exe, for example "%APPDATA%\7f5ed85d-6828-4f92-858c-f40b0ac6813879\feddfcfbac.exe".
And creates the following registry entires under the following key in which to store configuration information:
In subkey: HKCU\SOFTWARE\Adobe\CSXS.2.5
Sets value: "LogLevel"
With data: "1"
Sets value: "tLastM_Reader"
With data: <binary data>
If the process appears to be a browser, Win32/Redyms checks if it's open to a URL containing any of the following strings, which may indicate that a search is being done:
-
.ask.com
-
search.aol.
-
search.icq.com
-
search.xxx
-
search.yahoo.
-
www.alexa.com
-
www.bing.com
-
www.google.
-
www.wiki.com
-
www.yandex.com
If the URLs contains any of these strings, Win32/Redyms tries to redirect search results to a certain website.
Analysis by Shawn Wang