RDN/Generic.grp!hy

Risk Assessment: Home Low | Corporate Low
Date Discovered: 3/3/2015
Date Added: 3/3/2015
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 7586

Description
This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases:-

Microsoft – TrojanDownloader:Win32/Upatre.
NOD32 – Win32/TrojanDownloader.Waski.A
Kaspersky – Trojan-Downloader.Win32.Upatre. faq
Fortinet – W32/Waski.A!tr

Indication of Infection
Presence of above mentioned activities
Methods of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Virus Characteristics
“RDN/Generic.grp!hy” is a generic detection for a Trojan that might download other malicious files into the system.
It deletes the source file, upon successful execution.

Upon execution the Trojan tries to connect to the following URL & IP addresses through ports 12101 & 12103

hxxp://checkip.dyndns.org/
hxxp://straphael.org.uk/images/arrowb.jpg
checkip.dyndns.org
straphael.org.uk
216.146.39.70
91.103.216.71
94.41.208.125
74.125.28.100
90.182.92.110

Upon execution, Trojan drops the following files into the system.

%userprofile%\Local Settings\Temp\planeris.exe[Detected as RDN/Generic.grp!hy]
%windir%\NDxMcnFW.exe[Detected as RDN/Generic.dx!djf]
%userprofile%\Local Settings\Temp\sep6547.tmp

The following registry key value has been added to the system

HKEY_LOCAL_MACHINE\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot

The following registry keys have been modified to the system.

HKEY_LOCAL_MACHINE \SYSTEM\ControlSet\Hardware Profiles001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxyenable
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ Internet Settings\ZoneMap\ProxyByPass