Home / malware Trojan:Win32/Raydefun.A
First posted on 17 July 2015.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Raydefun.A.
Explanation :
Threat behavior
Installation
This threat is a hacked version of a software that uninstalls Windows Defender. It was modified to run silenty and without confirmation, to evade detection.
It disables earlier versions of Windows Defender (Windows XP, Windows Vista, and Windows 7) and has some negative effects on Windows 8 Defender and later versions.
It might be installed by an exploit or another piece of malware.
We have observed it being installed to %TEMP%\<8 hexadecimal digits>\<10 hexadecimal digits>.exe, for example, %TEMP%\37850f9c\142556893348551.exe.
It drops a clean file to %TEMP%\setacl.exe, which it uses to set permissions for the various files and registry entries that it tries to delete. It might try to remove the setacl.exe file again after it has finished running.
Payload
Attempts to disable and uninstall Windows Defender
If the Windows Defender process MSASCui.exe is running, the threat might try to close or stop it.
It also tries to:
- Stop and delete the Windows Defender (WinDefend) service.
- Remove the following folders and all subfolders and files if they are present:
- %ProgramFiles%\Windows Defender
- %ProgramFiles%\Windows Defender
- %ProgramFiles%\Microsoft\Windows Defender
- Remove registry key at HKLM\SOFTWARE\Microsoft\Windows Defender and all of its subkeys.
- Remove the Windows Defender Control Panel entry, and other various registry entries associated with Windows Defender.
Analysis by David Wood
Symptoms
Alerts from your security software might be the only symptom.
Last update 17 July 2015
