Attention: We have transitioned to a new AAD or
Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at
Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Provide feedback
Send us feedback
Tell us about your experience
Submit feedback
Thank you for your feedback
Published Feb 05, 2015
|
Updated Sep 15, 2017
Win32/Escad
Technical information
Threat behavior
Installation
This threat can install itself to the following files on your PC:
It also installs the following configuration files:
It can be registered as a service with any of the following service names:
Service name: LocalMonNetwork In subkey: HKLM\SYSTEM\CurrentControlSet\Services\NetMonSvc\Parameters Sets value: "ServiceDll" With data: "<system folder> \netmonsvc.dll" In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost Sets value: "LocalMonNetwork" With data: "netmonsvc"
Service name: Windows Security In subkey: HKLM\SYSTEM\ControlSet001\Services\Windows Security\Parameters Sets value: "ServiceDll" With data: "%SystemRoot% \system32\winsec.dll" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost Sets value: "Windows Security" With data: "windows security"
Service name: rdsessionmgr In subkey: HKLM\SYSTEM\ControlSet001\Services\RDSessionMgr\Parameters Sets value: "ServiceDll" With data: "%SystemRoot% \system32\rdmgr.dll" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost Sets value: "RDSessionMgr" With data: "rdsessionmgr"
Payload
Allows backdoor access and control
This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, including:
Acting as a proxy server
Copying files and sending them to a remote IP address
Downloading files remotely into the infected system
Enumerating files in any folder
Gathering machine information, such as your PC name, TCP connections, free disk space, and network adapter information
Modifying firewall settings
Modifying your IP settings
Analysis by Marianne Mallen
Prevention
Symptoms
The following can indicate that you have this threat on your PC :
You have these files: %TEMP%\install-sunny-leone-ii-screensaver.exe <system folder>\ansi.nls <system folder>\dayipmr.tbl <system folder>\netmonsvc.dll <system folder>\pmsconfig.msi <system folder>\rdmgr.dll <system folder>\remoteevtmanager.dll <system folder>\tlvc.nls <system folder>\tmscompg.msi <system folder>\winsec.dll
You see these entries or keys in your registry: In subkey: HKLM\SYSTEM\CurrentControlSet\Services\NetMonSvc\Parameters Sets value: "ServiceDll" With data: "<system folder> \netmonsvc.dll" In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost Sets value: "LocalMonNetwork" With data: "netmonsvc" In subkey: HKLM\SYSTEM\ControlSet001\Services\Windows Security\Parameters Sets value: "ServiceDll" With data: "%SystemRoot% \system32\winsec.dll" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost Sets value: "Windows Security" With data: "windows security" In subkey: HKLM\SYSTEM\ControlSet001\Services\RDSessionMgr\Parameters Sets value: "ServiceDll" With data: "%SystemRoot% \system32\rdmgr.dll" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost Sets value: "RDSessionMgr" With data: "rdsessionmgr"
Debug Version = 1.0.0.0;