Troj/RKDepo-A is a Trojan rootkit downloader for the Windows platform.
Troj/RKDepo-A attempts to hide information about its files and registry entries.
Troj/RKDepo-A periodically attempts to download and execute files from a number of websites.
Troj/RKDepo-A is a Trojan rootkit downloader for the Windows platform.
Troj/RKDepo-A attempts to hide information about its files and registry entries, providing stealthing by directly manipulating structures in the system kernel.
When first run Troj/RKDepo-A copies itself to <System>\sxlntr.exe and creates the clean log file <Temp>\dgkmldgmdfgdf.tjh.
Troj/RKDepo-A attempts to set the following registry entries to run itself on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
hdloker
<path to Trojan>
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
hdloker
<path to Trojan>
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<path to Trojan>
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
<path to Trojan>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hdloker
<path to Trojan>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
hdloker
<path to Trojan>
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
load
<path to Trojan>
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
run
<path to Trojan>
The following registry entry is set to run sxlntr.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <path to Trojan>
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
Troj/RKDepo-A creates the following registy entry with a unique number to identify the infected computer:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
WINID
Troj/RKDepo-A periodically attempts to download and execute files from a number of websites to <Temp>\<randum numbers>.exe.