Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Olmarik.RN

Aliases:Trojan-Downloader.Win32.Agent.dmes (Kaspersky), Backdoor.Tidserv.K (Symantec), Trojan:Win32/Alureon.CT (Microsoft) 
Type of infiltration:Trojan  
Size:22008 B 
Affected platforms:Microsoft Windows 
Signature database version:4818 (20100129) 

You can download the removal tool here:

Short description

The trojan contains a backdoor. It can be controlled remotely. It uses techniques common for rootkits. The file is run-time compressed using UPX.

Installation

When executed, the trojan creates the following files:
  • %temp%%random1%.tmp
  • %temp%%random2%.tmp
A string with variable content is used instead of %random1-2%.

The following files are modified:
  • %system%drivers*.sys
It avoids files with the following filenames:
  • fvevol.sys
  • ksecdd.sys
  • win32k.sys
  • pci.sys
The modified file contains the original program code along with the program code of the infiltration.

The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESystemCurrentControlSetServices
    %random3%]
    "ImagePath" = "%temp%%random1%.tmp"
    "Type" = 1
A string with variable content is used instead of %random3%.

The trojan may create and run a new thread with its own program code within any running process.

Information stealing

The trojan collects the following information:
  • a list of recently visited URLs
  • operating system version
The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (7) URLs. The HTTP, HTTPS protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftInternet Explorer
    MainFeatureControlFEATURE_BROWSER_EMULATION]
    "svchost.exe" = 8000
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Internet Settings]
    "MaxHttpRedirects" = 8000
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Internet Settings]
    "EnableHttp1_1" = 1
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftInternet Explorer
    MainFeatureControlFEATURE_BROWSER_EMULATION]
    "svchost.exe" = 8000
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Internet Settings]
    "MaxHttpRedirects" = 8000
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Internet Settings]
    "EnableHttp1_1" = 1
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Internet SettingsZones3]
    "CurrentLevel" = 0
    "1601" = 0
    "1400" = 0
The trojan can write its own data to the end of the physical drive.