Threat behavior
Installation
When run, TrojanDropper:Win32/Resmu.A drops Trojan:Win32/Resmu.A!rootkit as the following file:
<system folder>\drivers\srenum.sys
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The registry is modified to run the dropped component at each Windows start.
Adds value: "ImagePath"
With data: "<system folder>\drivers\srenum.sys"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\srenum
Other files are created as the following during installation of Trojan:Win32/Resmu.A!rootkit.
- <current folder>\ndisrd.sys
- <current folder>\ndisrd.inf
- <current folder>\ndisrd_m.inf
where <current folder> is the folder location where TrojanDropper:Win32/Resmu.A was initially executed.
Payload
Connects to a remote server
Trojan:Win32/Resmu.A!rootkit may try to hook NDIS and use the ndisrd driver to contact various remote servers using HTTP. It may then download and upload arbitrary files using FTP.
Some of the remote servers it is known to connect to are:
- bkglpvdh.com
- cbaygdvd.com
- gthydetr.org
- kknbktja.com
- okrayjvd.org
- otnvgeve.com
- sqghtiae.com
- vmggmlen.org
- vqjtjqty.org
- wswuratr.org
- xathjxfh.org
- ximfmhsa.com
Analysis by Andrei Florin Saygo
Prevention
