Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation
When executed, the trojan drops the following files in the C:\ folder:

NTDUBECT.EXE (58368 B)
_uninsep.bat

The following files are dropped into the %temp% folder:

SETUP.EXE (10916 B)
ANTIR.exe (17860 B)
ANTIR.sys (3072 B)
1.tmp (15488 B)
tmp.bat

The following Registry entries are created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe]
"Debugger" = "TASKMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe]
"Debugger" = "TASKMAN.EXE"

 

The trojan registers itself as a system service using the following name:

IIS Manager


Other information

The trojan terminates processes with any of the following strings in the name:

RavMonD.exe
rfwsrv.exe
rfwmain.exe
kwatch.exe
kissvc.exe
kpfwsvc.exe
safeboxTray.exe
360tray.exe
360safe.exe

The following services are disabled:

Security Center
Windows Firewall/Internet Connection Sharing (ICS)
System Restore Service

If Kingsoft AntiVirus is installed on the infected system the trojan replaces the following files with a copy of itself:

%programpath%\kpfwsvc.exe
%programpath%\Update\bin\kpfwsvc.exe
%programpath%\kasmain.exe
%programpath%\Update\bin\kasmain.exe
%programpath%\uplive.exe
%programpath%\Update\bin\uplive.exe
%programpath%\kwatch.exe
%programpath%\Update\bin\kwatch.exe
%programpath%\kissvc.exe
%programpath%\Update\bin\kissvc.exe

The trojan obtains the name of the source folder from the following Registry record:

[HKEY_LOCAL_MACHINE\SOFTWARE\Kingsoft\Antivirus]
"ProgramPath"

 

If Rising Antivirus is installed on the infected system the trojan replaces the following files with a copy of itself:

%installpath%\Scanner.dll
%installpath%\Update\Scanner.dll
%installpath%\SmartUp.exe
%installpath%\Update\SmartUp.exe
%installpath%\RavMonD.exe
%installpath%\Update\RavMonD.exe

The trojan obtains the name of the source folder from the following Registry record:

[HKEY_LOCAL_MACHINE\SOFTWARE\rising\Rav]
"installpath"

 

The trojan may create copies of itself in the folder:

C:\Program files\Realtek\APPath\

Its filename is one of the following:

RTHDCPL.exe (58368 B)

The trojan may set the following Registry entries:

[HKEY_LOCAL_MACHINE\SoftWare\Microsoft\Windows\CurrentVersion\Run]
"SOUNDMAN"="C:\Program Files\Realtek\APPath\RTHDCPL.exe"

[HKEY_CURRENT_USER\SoftWare\Microsoft\Windows\CurrentVersion\Run]
"SOUNDMAN"="C:\Program Files\Realtek\APPath\RTHDCPL.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon]
"ExecAccess" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon]
"SiteAccess" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon]
"MonAccess" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon]
"UDiskAccess" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon]
"ARPAccess" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon]
"IEProtAccess" = 0

 

The trojan mutes the master volume control of the sound device.

The trojan tries to download and execute several files from the Internet. These are stored in the following locations:

%system%\WIN.INI
%system%\updatax.exe
%system%\%variable%.exe

A string with variable content is used instead of %variable%. The trojan contains a list of (1) URLs.