TrojanSpy.Win32.DRIDEX.TIAOABAZ
Gen:Variant.Razy.569182 (BITDEFENDER)
Windows
Threat Type: Trojan Spy
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It scans the computer for registry keys related to antivirus and security applications. This action allows the malware to possibly avoid detection in the computer.
It connects to a website to send and receive information.
TECHNICAL DETAILS
237,568 bytes
EXE
Yes
17 Oct 2019
Arrival Details
This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan Spy adds the following processes:
- %System%\whoami.exe /all
- %System%\net.exe view
- %System%\raserver.exe "{malware path and filename}"
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
It injects codes into the following process(es):
- %System%\raserver.exe
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
Other System Modifications
This Trojan Spy scans the system for the following registry keys, which are related to antivirus and security applications:
HKEY_LOCAL_MACHINE\Software\TrendMicro
Vizor =
Backdoor Routine
This Trojan Spy connects to the following websites to send and receive information:
- 194.{BLOCKED}.{BLOCKED}.198
- 176.{BLOCKED}.{BLOCKED}.143
- 195.{BLOCKED}.{BLOCKED}6.1
Information Theft
This Trojan Spy gathers the following data:
- Running Processes
- Computer Username
- Installed Applications
- Process Memory Information
- Related System Information:
- Build GUID
- Build Lab
- Build Lab Ex
- CSD Build Number
- CSD Version
- Current Build Number
- Current Type
- Current Version
- Digital Product ID
- Edition ID
- Install Date
- Installation Type
- OS Version
- Path Name
- Product ID
- Product Name
- Registered Organization
- Registered Owner
- Software Type
- System Root
Other Details
This Trojan Spy does the following:
- checks for the existence of %System Root%\testapp.exe
(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)
SOLUTION
9.850
15.454.08
26 Oct 2019
15.455.00
27 Oct 2019
Step 1
Trend Micro products with the XGen technology detect this malware as
Step 2
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 3
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 4
Restart in Safe Mode
Step 5
Search and delete these files
- %System Root%\testapp.exe
Step 6
Restart in normal mode and scan your computer with your Trend Micro product for files detected as TrojanSpy.Win32.DRIDEX.TIAOABAZ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.