Backdoor:Win32/Reyds.A

Backdoor:Win32/Reyds.A is a trojan that allows unauthorized access and control of an affected computer.

When executed, Backdoor:Win32/Reyds.A copies itself to <system folder>\xhfhgebdbadw.exe.

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

The malware modifies the following registry entries to ensure that its copy executes at each Windows start:

Adds value: "XHFHGEBDbadw"
With data: "c:\windows\system32\xhfhgebdbadw.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The malware utilizes code injection in order to hinder detection and removal. When Backdoor:Win32/Reyds.A executes, it may inject code into running processes, including the following, for example:

Backdoor:Win32/Reyds.A allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Reyds.A. This could include, but is not limited to, the following actions:

This malware description was produced and published using our automated analysis system's examination of file SHA1 6f62376ead176de5f82507d6ab9aff62c3f09399.