TROJ_ROVNIX.FB
Trojan-Ransom.Win32.PornoAsset.ckkk(Kaspersky), TrojanDropper:Win32/Rovnix.L(Microsoft), Trojan.Cidox.C(Symantec), PWSZbot-FRG!56DB6A59AEBB(McAfee), Trojan-PWS.Win32.Fareit(Ikarus), a variant of Win32/Kryptik.BRHX trojan(Eset)
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It restarts the affected system.
TECHNICAL DETAILS
280,576 bytes
EXE
Yes
04 Sep 2014
Steals information
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following files:
- %System%\{random file name}
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
It drops and executes the following files:
- {malware path}\{random 8 characters}.bat - used to delete itself
Other Details
This Trojan checks for the presence of the following process(es):
- vmusrvc.exe
- vpcmap.exe
- vmsrvc.exe
- vboxservice.exe
- vboxtray.exe
- ollydbg.exe
- windbg.exe
- idag.exe
- idag64.exe
- pexplorer.exe
- lordpe.exe
- hiew32.exe
- bindiff.exe
- wireshark.exe
It restarts the affected system.
NOTES:
It modifies the NTFS boot sector to load its encrypted code.
It also hooks the following APIs:
- NtQueryDirectoryFile
- NtClose
- NtOpenFile
- NtQueryInformationFile
- NtSetInformationFile
- NtCreateFile
- NtDeleteFile
- NtShutdownSystem
- NtOpenKey
- NtEnumerateKey
- NtCreateKey
This malware log keys, Ammyy Admin IDs, and passwords.
SOLUTION
9.700
11.128.05
05 Sep 2014
11.129.00
05 Sep 2014
NOTES:
For Trend Micro product users, use the ATTK with ATRT to restore the modified Initial Program Loader (IPL) of an active NTFS partition.
Did this description help? Tell us how we did.