Home / malware Trojan:Win32/R2d2.A!rootkit
First posted on 13 October 2011.
Source: SecurityHomeAliases :
Trojan:Win32/R2d2.A!rootkit is also known as Win-Trojan/R2d2.5376 (AhnLab), W32/R2D2.A (Command), BackDoor.R2D2.1 (Dr.Web), Win32/R2D2.A (ESET), Backdoor.Win32.R2D2.a (Kaspersky), Troj/BckR2D2-A (Sophos), Backdoor.R2D2 (Symantec), Rootkit.R2D2.B (VirusBuster).
Explanation :
Trojan:Win32/R2d2.A!rootkit is a component of Backdoor:Win32/R2d2.A. It can delete or rename protected files, modify file properties and perform other actions.
Top
Trojan:Win32/R2d2.A!rootkit is a component of Backdoor:Win32/R2d2.A. It can delete or rename protected files, modify file properties and perform other actions.
Installation
This malware is installed by another process and may be present in the Windows system folder as the following:The trojan executes as a service named "winsys32".
- %windir%\System32\winsys32.sys
Payload
Performs file operations on protected files/modifies system dataThis malware is used by Backdoor:Win32/R2d2.A to perform the following actions:
- Delete or rename protected files by modifying registry data in the following subkey:
- HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperation
- Modify other registry data
- Modify file information properties of other files via the Windows kernel-mode driver support routine ZwSetInformationFile
- Create or modify files
- Link to \\Device\KeyboardClassC to capture keystrokes
Analysis by Jireh SanicoLast update 13 October 2011
