Backdoor:Win32/Ryknos.A creates a copy of itself named $sys$drv.exe in the Windows system folder. The Trojan attempts to enter this name in a registry key to cause the Trojan to run automatically each time Windows starts.

 

The Trojan takes advantage of the stealth functionality of rootkit VirTool:WinNT/F4IRootkit if the rootkit is already installed on the target computer. The rootkit hides certain names on the system that are prefixed by $sys$, such as names of files, processes, and registry entries. The Trojan file name, process name, and registry entry name begin with $sys$, so the effect is that the rootkit hides the Trojan from the user.

 

Backdoor:Win32/Ryknos.A uses the netsh command to configure the Windows firewall so the Trojan can exchange data over the network. The Trojan can connect to several IRC servers at a time to receive commands from attackers, who can then take complete control of the infected computer.  

 

Like other Trojans, Backdoor:Win32/Ryknos.A does not have its own spreading mechanism. Trojans may be distributed in numerous ways, for example, through e-mail, file-sharing, network shares, or file downloads.