Troj/Bckdr-RFM

Category: Viruses and Spyware Protection available since:09 Jan 2011 10:48:09 (GMT)
Type: Trojan Last Updated:09 Jan 2011 10:48:09 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Bckdr-RFM is a Trojan for the Windows platform.

 

Troj/Bckdr-RFM may comes as a dropper named "Real Kamasutra.pps. exe"

 

Troj/Bckdr-RFM drops the following files:

<Windows>\AdobeUpdater.exe

<Profile>\Local Settings\Temp\<random number>.tmp\Real kamasutra.pps <Profile>\Local Settings\Temp\<random number>.tmp\jqa.exe <Profile>\Local Settings\Temp\<random number>.tmp\acrobat.exe

 

The following registry entries are created:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Adobe Updater

<Windows>\AdobeUpdater.exe

 

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\

StandardPofile\AuthorizedApplications

List

<windows>\AdobeUpdater.exe

 

Contacts adobe.com but also IP address 95 . 168 . 172 . 46 and sends hostname, username, MAC Address to that IP address. 

 

AdobeUpdater.exe will respond to commands issued by remote server.

These commands include:

shell

sleep

quit

kill

comd (used to transfer files to and from remote server and execute files server uploads)

 

Examples of Troj/Bckdr-RFM include:

Example 1

File Information

Size
61K
SHA-1
2429030786b6262ecd4fb4714dc87c95a390e67e
MD5
f3b9ae43efb577f73ab4eaf79a944a00
CRC-32
d4841d67
File type
application/x-ms-dos-executable
First seen
2011-01-09

Runtime Analysis

Dropped Files
  • C:\WINDOWS\AdobeUpdater.exe
    Size
    16K
    SHA-1
    d7b7ea14254d830d3329cf553726a0764655a400
    MD5
    8b4c1b136241401f4fe723f0124cd62d
    CRC-32
    e28120c2
    File type
    application/octet-stream
    First seen
    2011-01-09
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    c:\windows\AdobeUpdater.exe
    c:\windows\AdobeUpdater.exe:*:Enabled:AdobeUpdater.exe
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Adobe Updater
    c:\windows\AdobeUpdater.exe

Example 2

File Information

Size
16K
SHA-1
b26b85e4dc878d46e7f3be7adee67bed8e536f02
MD5
18d73aac013b484482582e5f3d773a7b
CRC-32
5159e713
File type
application/x-ms-dos-executable
First seen
2011-01-09

Other vendor detection

Avira
HEUR/Malware

Runtime Analysis

HTTP Requests
  • http://-PC-OF-support:
  • http://www.adobe.com/
IP Connections
  • 95.168.172.46:80
DNS Requests
  • www.adobe.com

Example 3

File Information

Size
40K
SHA-1
cef3cbcac20dab1fa1efa0357494e627e3f45da4
MD5
3bcfe5a16cf4e00f4e16866916fb071a
CRC-32
3a671654
File type
application/x-ms-dos-executable
First seen
2011-01-09

Further information

There is more information about Troj/Bckdr-RFM on the blog article Death by PowerPoint? Kama Sutra presentation leads to backdoor infection.

download Try Sophos products for free
Download now