Home / malware Trojan.Rerdom
First posted on 01 July 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Rerdom.
Explanation :
When this Trojan is executed, it creates the following files: %SystemDrive%\Documents and Settings\All Users\Application Data\Gyobqoce%SystemDrive%\Documents and Settings\All Users\Application Data\Gyobqoce\ovonx.exe%SystemDrive%\Documents and Settings\All Users\Application Data\Laqixea%SystemDrive%\Documents and Settings\All Users\Application Data\Laqixea\yzmiylq.exe%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\K9QRKXI3\08230c6830948e3dd25f948b[1].txt%Windir%\Tasks\Security Center Update - 1365537861.job%Windir%\Tasks\Security Center Update - 2710767946.job%System%\utvianpefo.exe%System%\uxvuemtar.exe
The Trojan then creates the following registry entries: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SecurityCenterServer2710767946\Security\"Security" = "hex:01,00,14,..."HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SecurityCenterServer2710767946\"Type" = "10"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SecurityCenterServer2710767946\"Start" = "2"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SecurityCenterServer2710767946\"ObjectName" = "LocalSystem"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SecurityCenterServer2710767946\"ImagePath" = "expand:"\"%System%\utvianpefo.exe\" -service \"%SystemDrive%\Documents and Settings\All Users\Application Data\Gyobqoce\ovonx.exe\""HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SecurityCenterServer2710767946\"ErrorControl" = "1"HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SecurityCenterServer2710767946\"DisplayName" = "Security Center Server - 2710767946"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SecurityCenterServer1365537861\Security\"Security" = "hex:01,00,14..."HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SecurityCenterServer1365537861\"Type" = "10"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SecurityCenterServer1365537861\"Start" = "2"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SecurityCenterServer1365537861\"ObjectName" = "LocalSystem"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SecurityCenterServer1365537861\"ImagePath" = expand:"\"%System%\uxvuemtar.exe\" -service \"%SystemDrive%\Documents and Settings\All Users\Application Data\Laqixea\yzmiylq.exe\""HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SecurityCenterServer1365537861\"ErrorControl" = "1"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SecurityCenterServer1365537861\"DisplayName" = "Security Center Server - 1365537861"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SECURITYCENTERSERVER2710767946\0000\"Service" = "SecurityCenterServer2710767946"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SECURITYCENTERSERVER2710767946\0000\"Legacy" = "1"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SECURITYCENTERSERVER2710767946\0000\"DeviceDesc" = "Security Center Server - 2710767946"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SECURITYCENTERSERVER2710767946\0000\"ConfigFlags" = "0"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SECURITYCENTERSERVER2710767946\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SECURITYCENTERSERVER2710767946\0000\"Class" = "LegacyDriver"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SECURITYCENTERSERVER2710767946\"NextInstance" = "1"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SECURITYCENTERSERVER1365537861\0000\"Service" = "SecurityCenterServer1365537861"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SECURITYCENTERSERVER1365537861\0000\"Legacy" = "1"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SECURITYCENTERSERVER1365537861\0000\"DeviceDesc" = "Security Center Server - 1365537861"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SECURITYCENTERSERVER1365537861\0000\"ConfigFlags" = "0"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SECURITYCENTERSERVER1365537861\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SECURITYCENTERSERVER1365537861\0000\"Class" = "LegacyDriver"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SECURITYCENTERSERVER1365537861\"NextInstance" = "1"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Yxipekokcyw" = "\"%SystemDrive%\Documents and Settings\All Users\Application Data\Laqixea\yzmiylq.exe\""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Emomdycufy" = "\"%SystemDrive%\Documents and Settings\All Users\Application Data\Gyobqoce\ovonx.exe\""HKEY_LOCAL_MACHINE\Software\Dguqszfqxx\"License" = "1bc"HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"Emomdycufy" = "\"%SystemDrive%\Documents and Settings\All Users\Application Data\Gyobqoce\ovonx.exe\""HKEY_CURRENT_USER\Software\Dguqszfqxx\"License" = "1bc"
Next, the Trojan deletes the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot
The Trojan uses the compromised computer to perform click fraud.
The Trojan also connects to the following remote locations to receive click fraud URLs: cioco-froll.compromsvazb.ruusamixing.sukinure-desrt.sujufer-hill.rueasyreding.suzoozizzaro.comlinicingo.comofflinemech.comLast update 01 July 2015
