TROJ_ROVNIX.FB
Trojan-Ransom.Win32.PornoAsset.ckkk(Kaspersky), TrojanDropper:Win32/Rovnix.L(Microsoft), Trojan.Cidox.C(Symantec), PWSZbot-FRG!56DB6A59AEBB(McAfee), Trojan-PWS.Win32.Fareit(Ikarus), a variant of Win32/Kryptik.BRHX trojan(Eset)
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It restarts the affected system.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following files:
- %System%\{random file name}
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
It drops and executes the following files:
- {malware path}\{random 8 characters}.bat - used to delete itself
Other Details
This Trojan checks for the presence of the following process(es):
- vmusrvc.exe
- vpcmap.exe
- vmsrvc.exe
- vboxservice.exe
- vboxtray.exe
- ollydbg.exe
- windbg.exe
- idag.exe
- idag64.exe
- pexplorer.exe
- lordpe.exe
- hiew32.exe
- bindiff.exe
- wireshark.exe
It restarts the affected system.
NOTES:
It modifies the NTFS boot sector to load its encrypted code.
It also hooks the following APIs:
- NtQueryDirectoryFile
- NtClose
- NtOpenFile
- NtQueryInformationFile
- NtSetInformationFile
- NtCreateFile
- NtDeleteFile
- NtShutdownSystem
- NtOpenKey
- NtEnumerateKey
- NtCreateKey
This malware log keys, Ammyy Admin IDs, and passwords.
SOLUTION
NOTES:
For Trend Micro product users, use the ATTK with ATRT to restore the modified Initial Program Loader (IPL) of an active NTFS partition.
Did this description help? Tell us how we did.