Troj/Bckdr-RFM

Category:	Viruses and Spyware	Protection available since:	09 Jan 2011 10:48:09 (GMT)
Type:	Trojan	Last Updated:	09 Jan 2011 10:48:09 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Bckdr-RFM is a Trojan for the Windows platform.

Troj/Bckdr-RFM may comes as a dropper named "Real Kamasutra.pps. exe"

Troj/Bckdr-RFM drops the following files:

<Windows>\AdobeUpdater.exe

<Profile>\Local Settings\Temp\<random number>.tmp\Real kamasutra.pps <Profile>\Local Settings\Temp\<random number>.tmp\jqa.exe <Profile>\Local Settings\Temp\<random number>.tmp\acrobat.exe

The following registry entries are created:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Adobe Updater

<Windows>\AdobeUpdater.exe

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\

StandardPofile\AuthorizedApplications

List

<windows>\AdobeUpdater.exe

Contacts adobe.com but also IP address 95 . 168 . 172 . 46 and sends hostname, username, MAC Address to that IP address.

AdobeUpdater.exe will respond to commands issued by remote server.

These commands include:

shell

sleep

quit

kill

comd (used to transfer files to and from remote server and execute files server uploads)

Examples of Troj/Bckdr-RFM include:

Example 1

File Information

Size: 61K
SHA-1: 2429030786b6262ecd4fb4714dc87c95a390e67e
MD5: f3b9ae43efb577f73ab4eaf79a944a00
CRC-32: d4841d67
File type: application/x-ms-dos-executable
First seen: 2011-01-09

Runtime Analysis

Dropped Files

C:\WINDOWS\AdobeUpdater.exe
Size
16K
SHA-1
d7b7ea14254d830d3329cf553726a0764655a400
MD5
8b4c1b136241401f4fe723f0124cd62d
CRC-32
e28120c2
File type
application/octet-stream
First seen
2011-01-09

Registry Keys Created

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
c:\windows\AdobeUpdater.exe
c:\windows\AdobeUpdater.exe:*:Enabled:AdobeUpdater.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Updater
c:\windows\AdobeUpdater.exe

Example 2

File Information

Size: 16K
SHA-1: b26b85e4dc878d46e7f3be7adee67bed8e536f02
MD5: 18d73aac013b484482582e5f3d773a7b
CRC-32: 5159e713
File type: application/x-ms-dos-executable
First seen: 2011-01-09

Other vendor detection

Avira: HEUR/Malware

Runtime Analysis

HTTP Requests

http://-PC-OF-support:
http://www.adobe.com/

IP Connections

95.168.172.46:80

DNS Requests

www.adobe.com

Example 3

File Information

Size: 40K
SHA-1: cef3cbcac20dab1fa1efa0357494e627e3f45da4
MD5: 3bcfe5a16cf4e00f4e16866916fb071a
CRC-32: 3a671654
File type: application/x-ms-dos-executable
First seen: 2011-01-09

Further information

There is more information about Troj/Bckdr-RFM on the blog article Death by PowerPoint? Kama Sutra presentation leads to backdoor infection.

Try Sophos products for free
Download now

Security Goals

INDUSTRIES & SECTORS

COMPANY SIZE

PRODUCT FEATURES

CASE STUDIES

Company Overview

Our People

INNOVATIVE TECHNOLOGY

ALERT SERVICES

Product Features

Product Families

Complete Security

PRODUCTS BY NAME

Free Tools

Next Steps

RESOURCES

FIND AN ANSWER

Support by Product

Maintain your Product

Hire an Expert

WHAT'S POPULAR

THREAT ANALYSIS

THREAT STATISTICS

WHAT'S POPULAR

Threat Definitions

THREAT MONITORING

SECURITY HUBS

LIBRARY

Whats Popular

WHAT'S NEW

Community

IT SECURITY TRAINING

ANATOMY OF AN ATTACK

RESELLER PARTNERS

Managed Service Providers

SYSTEM INTEGRATORS

OEM and Technology

WHAT'S POPULAR

Troj/Bckdr-RFM

Example 1

File Information

Runtime Analysis

Dropped Files

Registry Keys Created

Example 2

File Information

Other vendor detection

Runtime Analysis

HTTP Requests

IP Connections

DNS Requests

Example 3

File Information

Further information

Free Mac Anti-Virus

Popular topics