Threat behavior
Backdoor:Win32/Rumsoot.gen!A is a trojan that may download files from a remote web site.
Installation
This trojan could be introduced to the computer via a malicious web page, or possibly installed by other malware.
When run, the dropper may create a file "c:\winself.exe", then execute this file using the following parameters:
"c:\winself.exe 444.0 winself.exe"
Win32/Rumsoot may add the following registry value and data.
Adds value: "02"
With data: <hexadecimal values>
To subkey: HKLM\Software\Microsoft\NetDNS\Remoted Shares
Win32/Rumsoot may create a service in order to execute the trojan at each Windows start. The service is named "MsSecurity Updated".
Win32/Rumsoot may drop files into the path "%windir%\temp" with names such as tmp1.tmp, tmpb.tmp, tmp2.tmp, tmpc.tmp and so on.
The dropped trojan may create additional files:
%windir%\muotr.so
%windir%\444.0
%windir%\mainms.vpi
Rumsoot executes one of its dropped components using a parameter, for example
"%windir%\444.0 install"
Payload
Downloads Arbitrary Files
Win32/Rumsoot may connect to the site 'tr-exchange.com' using HTTP protocol to download a small data file. This trojan may attempt to download other programs such as rogue antivirus products.
Analysis by Josh Phillips
Prevention
