W32/Ryknos.A
| W32/Ryknos.A |
Destructivity:  Spreading:  Overall risk: 
|
| • Detected by virus detection files published: 11/10/2005 | • Type: Backdoor |
| • Virus characteristics first published: 11/10/2005 | • Spreading mechanism: |
| • Virus characteristics latest update: 11/28/2005 | • Overall risk: Low |
| • Alias: Win32.Ryknos.A, Backdoor.Breplibot.B,Troj/Stinx-E | • Payload: Gives unauthorized access to computer. |
| • Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista |
| Virus type |
Spreading mechanism |
Destructivity and payload |
Additional descriptions |
Detection and removal |
||||||||||
|
This is a backdoor trojan. File size is 10240 bytes. It is very closely related to the Breplibot series of backdoors. It is extremely buggy, and many of its features will not work. The trojan copies itself to the System directory, where it will attempt to use the same file name as one of the components used by the First 4 Internet Digital Rights Management software. This can in certain settings hide the presence of this backdoor on the system. The backdoor will attempt to add itself as a trusted process with the Windows Firewall. File system changes: Creates file <SYSTEMDIR>\$sys$drv.exe Registry changes: Creates key "HKCU\Software\WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj "$sys$drv"="$sys$drv.exe" The mangled registry keys is another example of bugs in the code. These keys will not autostart the backdoor from bootup.
|
||||||||||||||