Follow:

 

Trojan:Win32/Ramdo.A


Microsoft security software detects and removes this threat.

Trojan:Win32/Ramdo.A is a trojan that does click-fraud. It might disable some features of your security software.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Threat behavior

Installation

It drops itself into your PC as the file %APPDATA%\verison.dll. It renames itself as <startup folder>\HpM3Util.exe so that it starts every time Windows starts.

It creates these registry values to store its configuration data:

In subkey: HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
Sets value: "tLast_ReadedSpec"
With data: "<encrypted configuration>"

In subkey: HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
Sets value: "tLastCollab_doc"
With data: "<encrypted configuration>"

Payload

Disables features of security software

This threat injecets itself into all 32-bit processes and then tries to unload these DLL files:

  • UMEngx86.dll
  • wl_hook.dll

These files are used by certain security software, so if this threat is successful in unloading these files, your security software won't run properly.

Connects to a server

This threat tries to collect the following information about your PC:

  • What operating system version you're running
  • If it's running in a virtual environment
  • What version of Adobe Flash is installed in your PC
  • How many processors you have in your PC
  • Your PC's GUID

It then tries to send the information to a server with a name generated using a specific algorithm.

Depending on commands from the server, it might also do the following on your PC:

  • Update itself
  • Update its configuration
  • Load modules

Does click-fraud

It does click-fraud by generating fake clicks to ads in the server in 95.211.193.11 (the referrer is starmina.net).

It also hooks these APIs to hide its click-fraud activities:

  • CoCreateInstance
  • DialogBoxIndirectParamAorW
  • GetCursorPos
  • waveOutOpen
  • waveOutSetVolume

Depending on how many processors you have in your PC, this threat might start one or multiple instances of these files, into which it injects itself to do its click-fraud activities:

It also creates these registry values to hide the browser while it does click-fraud:

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Sets value: "twunk_32.exe"
With data: "9000"
Sets value: "winhlp32.exe"
With data: "9000"

Analysis by Shawn Wang


Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:
  • You see these entries or keys in your registry:

    In subkey: HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
    Sets value: "tLast_ReadedSpec"
    With data: "<encrypted configuration>"

    In subkey: HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
    Sets value: "tLastCollab_doc"
    With data: "<encrypted configuration>"


Prevention


Alert level: Severe
First detected by definition: 1.165.138.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Dec 18, 2013
This entry was first published on: Jan 16, 2014
This entry was updated on: Jan 23, 2014

This threat is also detected as:
  • BackDoor.Finder.11 (Dr.Web)
  • Win32/Kryptik.BSNW trojan (ESET)
  • Redyms-FDJR!851716E07456 (McAfee)