Home / malwarePDF  

Trojan.Rikamanu


First posted on 28 July 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Rikamanu.

Explanation :

Once executed, the Trojan creates the following files:
%Windir%\Help\CNDY.DAT%System%\drivers\Irmon.dll
Next, the Trojan creates a service with the following properties:
Display name: IrmonImage path: %System%\svchost.exe -k netsvcsDescription: The infrared Port Monitor is present for all computers with infrared ports. It initiates file transfer between your computer and another device, like a PDA or mobile phone.
It then creates the following registry subkey to register itself as a service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon
The Trojan then logs keystrokes made on the compromised computer and saves the stolen infromation to the following location:
%Windir%\Help\CNDY.DAT
The Trojan may then send the information to a remote attacker.

Last update 28 July 2015

 

TOP