Win32/Rustock [Threat Name] go to Threat
Win32/Rustock.NIH [Threat Variant Name]
| Category | trojan |
| Size | 92032 B |
| Aliases | Backdoor:WinNT/Rustock.AN (Microsoft) |
| Backdoor.Rustock.B (Symantec) | |
| Win32:Zeroot-B (Avast) | |
| Win32/Rustock.M.virus (AVG) | |
| TR/Rootkit.Gen (Avira) |
Short description
Win32/Rustock.NIH is a trojan that is used for spam distribution. The trojan serves as a backdoor. It can be controlled remotely.
Installation
The trojan is usually a part of other malware.
The trojan is usually found in the following folder:
- %system%\drivers\
The following filename is used:
- %variable%.sys
A string with variable content is used instead of %variable% .
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%variable%]
- "ImagePath" = "%system%\drivers\%variable%.sys"
- "Type" = 1
- "Start" = 1
- "ErrorControl" = 1
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services]
- "kadfmmqr" = 1
The trojan creates and runs a new thread with its own program code within the following processes:
- services.exe
The following services are disabled:
- Background Intelligent Transfer Service
- Windows Update
Other information
Win32/Rustock.NIH is a trojan that is used for spam distribution.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (23) URLs. The trojan generates various URL addresses. The HTTP, SMTP, SSL protocol is used.
It can execute the following operations:
- send spam
- update itself to a newer version
- download files from a remote computer and/or the Internet
- run executable files
- uninstall itself
- monitor network traffic
- shut down/restart the computer
The trojan hooks the following Windows APIs:
- ZwOpenKey (ntdll.dll)
- ZwCreateKey (ntdll.dll)
- ZwCreateEvent (ntdll.dll)
- TCPDispatchInternalDeviceControl (tcpip.sys)
The trojan hides its presence in the system. It uses techniques common for rootkits.