Trojan:Win32/Ransirac.A is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer.
Installation
When executed, Trojan:Win32/Ransirac.A copies itself to the following locations:
- <system folder>\inetaccelerator.exe
- c:\documents and settings\administrator\application data\inetaccelerator\inetaccelerator.exe
- c:\documents and settings\all users\application data\inetaccelerator\inetaccelerator.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "InetAccelerator"
With data: "c:\windows\system32\inetaccelerator.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "InetAccelerator"
With data: "c:\documents and settings\administrator\application data\inetaccelerator\inetaccelerator.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run
Adds value: "Userinit"
With data: "c:\windows\system32\inetaccelerator.exe,c:\windows\system32\userinit.exe,"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Payload
Contacts remote host
Trojan:Win32/Ransirac.A may contact a remote host at landing.qpoe.com using port 8080. Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 ad84dd360a54cddf3c193b107a77036590698a95.
