Home / malwarePDF  

TrojanDropper:Win32/Resmu.A


First posted on 30 August 2010.
Source: SecurityHome

Aliases :

TrojanDropper:Win32/Resmu.A is also known as Rootkit.Agent.YJDJ (VirusBuster), Win32/Rootkit.Agent.NRQ (ESET), Troj/Mdrop-CUE (Sophos).

Explanation :

TrojanDropper:Win32/Resmu.A is a trojan that drops another malware in the computer.
Top

TrojanDropper:Win32/Resmu.A is a trojan that drops another malware in the computer. Payload Drops other malware Upon execution, TrojanDropper:Win32/Resmu.A drops Trojan:Win32/Resmu.A!rootkit as the following file:

  • <system folder>\drivers\srenum.sys
    • Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It registers the dropped file as a service, as well as creates the registry entry to allow the rootkit to run at startup: Adds value: "ImagePath" With data: "<system folder>\drivers\srenum.sys" To subkey: HKLM\SYSTEM\CurrentControlSet\Services\srenum It also drops and executes the following threat-related files in the system as part of its routine:
  • %windir%\inf\oem4.inf
  • %windir%\inf\oem4.PNF
  • %windir%\inf\oem5.inf
  • %windir%\inf\oem5.PNF
  • <current folder>\ndisrd.sys
  • <current folder>\ndisrd.inf
  • <current folder>\ndisrd_m.inf
  • <current folder>\snetcfg.exe
  • <current folder>\drvsign.exe
    • where <current folder> is the folder where TrojanDropper:Win32/Resmu.A is currently running.

    Analysis by Marianne Mallen

    Last update 30 August 2010

     

    TOP

    Malware :

    Family: