Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Vedrio.A installs a backdoor that can be controlled remotely. The file is run-time compressed using UPX .
Installation
When executed, the trojan creates the following files:
  • %system%Rasmon.dll (90112 B)
  • %windir%DFS.bat
The trojan registers itself as a system service using the following name:
  • UpsWts
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
    LEGACY_UPSWTS000Control]
    "*NewlyCreated*" = 0
    "ActiveService" = "UpsWts"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
    LEGACY_UPSWTS000]
This causes the trojan to be executed on every system start.

A string with variable content is used instead of %random% .
Other information
The trojan contains a backdoor.

The trojan is sent data and commands from a remote computer or the Internet.

The trojan connects to the following addresses:
  • 360.homeunix.com (TCP:443)
  • 192.168.5.164 (TCP:443)
It can execute the following operations:
  • download files from a remote computer and/or Internet
  • run executable files
  • create Registry entries
The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESoftwareSun1.1.2]
    "AppleTlk" = "%variable1%"
  • [HKEY_LOCAL_MACHINESoftwareSun1.1.2]
    "IsoTp" = "%variable2%"
A string with variable content is used instead of %variable1%, %variable2% .