SecurityHome.eu Backdoor:Win32/Truvasys.A!dha

Home / malware PDF

Backdoor:Win32/Truvasys.A!dha

First posted on 15 December 2016.
Source: Microsoft
Aliases :
There are no other names known for Backdoor:Win32/Truvasys.A!dha.
Explanation :
When launched, this backdoor's initial dropper displays a message that appears to be selected at random. Here is one of the messages:

The version of Microsoft Office installed on this system is not updated.

The dropper then creates a hidden folder rspDB inside the %TEMP% folder and places several files inside that folder:

%TEMP%/rspDB/resdllx.dll - a clean DLL file containing functions for secure communications

%TEMP%/rspDB/winxsys.exe - the main backdoor component

%TEMP%/rspDB/parameters.txt - a configuration file

The configuration file stores backdoor settings, including its command and control (C&C) addresses, communication port, and registry keys and values. An attacker may change these settings to keep the backdoor and its activities from being noticed.

To stay persistent, this backdoor creates the following autorun registry entry:

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value: TaskMgr
Data: C:\Users\Pedro\AppData\Local\Temp\rspDB\winxsys.exe

Analysis by Mathieu Letourneau
Last update 15 December 2016

TOP

Malware :

Last 20

Backdoor:Win32/Truvasys.A!dha

Aliases :

Explanation :

Malware :

Family: