Home / malware TrojanSpy:Win32/Ranbyus.N
First posted on 28 November 2014.
Source: MicrosoftAliases :
There are no other names known for TrojanSpy:Win32/Ranbyus.N.
Explanation :
Threat behavior
Installation
This threat can create files on your PC, including:
\system check.lnk \smiauftnfdmohp.exe
Payload
Bypasses firewall
This threat tries to bypass your firewall by modifying the registry. For example:
In subkey:HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list
Sets value: "\svchost.exe"
With data: "\svchost.exe:*:enabled:mklwvcpqfgilgmjaxcgjmjcijd"
This threat can create one or more mutexes on your PC. For example:
This malware description was published using automated analysis of file SHA1 26a0cca661d24799746eb5e926c41b0a0fa8d168. Symptoms
- 2D5C55C00000035401CFFA99LWRRQTZzVmQnU
- 87b3c64lkj48gd
- InstalledMutex
- v&xEiR43#$
The following can indicate that you have this threat on your PC:
- You see these files:
\system check.lnk \smiauftnfdmohp.exe - You see registry modifications such as:
- In subkey: HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list
Sets value: "\svchost.exe"
With data: "\svchost.exe:*:enabled:mklwvcpqfgilgmjaxcgjmjcijd" - You see a mutex such as:
- 2D5C55C00000035401CFFA99LWRRQTZzVmQnU
- 87b3c64lkj48gd
- InstalledMutex
- v&xEiR43#$
Last update 28 November 2014
