Win32/Rustock [Threat Name] go to Threat

Win32/Rustock.NIH [Threat Variant Name]

Category trojan
Size 92032 B
Aliases Backdoor:WinNT/Rustock.AN (Microsoft)
  Backdoor.Rustock.B (Symantec)
  Win32:Zeroot-B (Avast)
  Win32/Rustock.M.virus (AVG)
  TR/Rootkit.Gen (Avira)
Short description

Win32/Rustock.NIH is a trojan that is used for spam distribution. The trojan serves as a backdoor. It can be controlled remotely.


The trojan is usually a part of other malware.

The trojan is usually found in the following folder:

  • %system%\­drivers\­

The following filename is used:

  • %variable%.sys

A string with variable content is used instead of %variable% .

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable%]
    • "ImagePath" = "%system%\­drivers\­%variable%.sys"
    • "Type" = 1
    • "Start" = 1
    • "ErrorControl" = 1
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services]
    • "kadfmmqr" = 1

The trojan creates and runs a new thread with its own program code within the following processes:

  • services.exe

The following services are disabled:

  • Background Intelligent Transfer Service
  • Windows Update
Other information

Win32/Rustock.NIH is a trojan that is used for spam distribution.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (23) URLs. The trojan generates various URL addresses. The HTTP, SMTP, SSL protocol is used.

It can execute the following operations:

  • send spam
  • update itself to a newer version
  • download files from a remote computer and/or the Internet
  • run executable files
  • uninstall itself
  • monitor network traffic
  • shut down/restart the computer

The trojan hooks the following Windows APIs:

  • ZwOpenKey (ntdll.dll)
  • ZwCreateKey (ntdll.dll)
  • ZwCreateEvent (ntdll.dll)
  • TCPDispatchInternalDeviceControl (tcpip.sys)

The trojan hides its presence in the system. It uses techniques common for rootkits.

Please enable Javascript to ensure correct displaying of this content and refresh this page.