Dr. Web Finds Fresh Version of Trojan Rmnet
Doctor Web has said that a hacker-botnet built with the Win32.Rmnet.12 Trojan had already surpassed 1m contaminated hosts by April 2012. Lately, analysts at the company observed that the virus disseminated in its modified form that was dubbed Win32.Rmnet.16.
Win32.Rmnet.16 is chiefly different from its earlier variant in that it has one digital signature for authorizing the IP address of the central C&C server. There's also been revision of the functional frameworks of the Trojan.
The latest Rmnet's coding language is the C computer-program, while it has numerous functional frameworks. What's more the injector, which places it onto the target computer, performs tasks in an identical manner of the Win32.Rmnet.12. First it inserts itself inside the browser processes, hunts one temporary folder where it keeps its driver, followed with executing it like any Windows Service of Microsoft and finally replicates the Trojan onto another temp directory as well as startup folder. An arbitrary name is given to the replicated file with the .exe suffix added.
Similar to the Win32.Rmnet.12, Rmnet.16 can write to MBR (master boot record) followed with storing files that have been encrypted at the disk's last portion. Once the OS is restarted, control gets transmitted onto the contaminated boot record that interprets as well as decrypts the memory components as malicious followed with executing them. This performing element, which the Trojan exudes, received a name i.e. MBR.Rmnet.1.
Some more modules are planted alongside Win32.Rmnet.16 distantly located C&C centers. Notably, the component File Transfer Protocol (FTP) Grabber v2.0 created for filching passwords belonging to well-known FTP-client; spyware; FTP based server as also many other functional elements are loaded.
Dr. Web's researchers stated that the infecting payload included within the latest variant happened to be polymorphic that was pulled down from one distantly-located website the hackers controlled.
The security company states that it's keeping track of a latest 'Rmnet' botnet's advances, while asserts that UK has been found with 55% of the worldwide contaminations followed with Australia at 40%. As for the city-specific contaminations, London has the highest -5,747 followed with Sydney -3,120, Melbourne -2,670, Brisbane -2,320, Perth -1,481 and Adelaide -1,176.
» SPAMfighter News - 22-05-2012