Short description
Win32/Rovnix.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. It uses techniques common for rootkits.
Installation
When executed, the trojan creates the following files:
- %variable%.log (77824 B)
- %variable%.sys (38528 B)
- c:\%variable%.bat
Installs the following system drivers:
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_%variable%.SYS\0000\Control]
"*NewlyCreated*" = 0
"ActiveService" = "%variable%.sys"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_%variable%.SYS\0000]
"Service" = "%variable%.sys"
"Legacy" = 1
"ConfigFlags" = 0
"Class" = "LegacyDriver"
"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc" = "%variable%.sys"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_%variable%.SYS\0000\Control]
"*NewlyCreated*" = 0
"ActiveService" = "%variable%.sys"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_%variable%.SYS\0000]
"Service" = "%variable%.sys"
"Legacy" = 1
"ConfigFlags" = 0
"Class" = "LegacyDriver"
"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc" = "%variable%.sys"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_%variable%.SYS]
"NextInstance" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
%variable%.sys\Enum]
"0" = "Root\LEGACY_%variable%.SYS\0000"
"Count" = 1
"NextInstance" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
%variable%.sys\Security]
"Security" = "%hexvalue%"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
%variable%.sys]
"Type" = 1
"Start" = 4
"ErrorControl" = 1
"ImagePath" = "%system%\%variable%.sys"
"DisplayName" = "%variable%.sys"
"DeleteFlag" = 1
- [HKEY_CURRENT_USER\Software\AppDataLow\{2EB8B042-32B9-3CC4-9653-2A3738FDEC81}]
"ID" = "%hexvalue%"
"Group" = 1016
"Config" = "%hexvalue%"
A string with variable content is used instead of %variable%.
Win32/Rovnix.A replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.
The trojan may create and run a new thread with its own program code within any running process.
After the installation is complete, the trojan deletes the original executable file.
Other information
The trojan collects various information when a certain application is being used.
The trojan collects information related to the following applications:
- explorer.exe
- iexplorer.exe
- firefox.exe
- chrome.exe
- opera.exe
- safari.exe
The trojan attempts to send gathered information to a remote machine.
The trojan contains a list of (2) URLs. The HTTP protocol is used.
The trojan hooks the following Windows APIs:
- InternetReadFile (Wininet.dll)
- InternetReadFileExA (Wininet.dll)
- InternetReadFileExW (Wininet.dll)
- HttpSendRequestA (Wininet.dll)
- HttpSendRequestW (Wininet.dll)
- InternetQueryDataAvailable (Wininet.dll)
- InternetReadFile (Wininet.dll)
- InternetReadFileExA (Wininet.dll)
- InternetReadFileExW (Wininet.dll)
- HttpSendRequestA (Wininet.dll)
- HttpSendRequestW (Wininet.dll)
- InternetQueryDataAvailable (Wininet.dll)
- InternetConnectA (Wininet.dll)
- InternetConnectW (Wininet.dll)
- HttpOpenRequestA (Wininet.dll)
- HttpOpenRequestW (Wininet.dll)
