Win32/Redyms [Threat Name] go to Threat

Win32/Redyms.AF [Threat Variant Name]

Category trojan
Size 282624 B
Aliases (Kaspersky)
  Trojan:Win32/Ramdo.A (Microsoft)
Short description

Win32/Redyms.AF is a trojan that changes results of online search engines. The trojan serves as a backdoor. It can be controlled remotely.


When executed the trojan copies itself in the following locations:

  • %appdata%\­Adobe\­acupx217.dll
  • %startup%\­EPUHelp.exe

This causes the trojan to be executed on every system start.

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­Main\­FeatureControl\­FEATURE_BROWSER_EMULATION]
    • "iexplore.exe" = 9000
    • "twunk32.exe" = 9000
    • "winhlp32.exe" = 9000

The trojan launches the following processes:

  • twunk_32.exe
  • winhlp32.exe
  • iexplore.exe
  • %variable%

A string with variable content is used instead of %variable% .

The trojan creates and runs a new thread with its own code within these running processes.

The trojan quits immediately if it is run within a debugger.

After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Redyms.AF is a trojan that steals sensitive information.

The trojan collects the following information:

  • operating system version
  • information about the operating system and system settings

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan generates various URL addresses. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • create Registry entries
  • monitor network traffic
  • modify network traffic
  • modify the content of websites
  • open a specific URL address

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

Win32/Redyms.AF is a trojan that changes results of online search engines.

The following services are affected:

  • Google

The following programs are affected:

  • Internet Explorer

The trojan checks for Internet connectivity by trying to connect to the following servers:


The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Adobe\­Acrobat Reader\­10.0\­IPM\­iTestPropulsion]
  • [HKEY_CURRENT_USER\­SOFTWARE\­Adobe\­Acrobat Reader\­10.0\­IPM\­iTestShears]

The trojan hooks the following Windows APIs:

  • CoCreateInstance (ole32.dll)
  • DialogBoxIndirectParamAorW (user32.dll)
  • GetCursorPos (user32.dll)
  • waveOutOpen (winmm.dll)
  • waveOutSetVolume (winmm.dll)
  • WSPSend (mswsock.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.