Threat behavior
Backdoor:Win32/R2d2.A is a trojan that communicates with a remote server to listen for commands from an attacker. The trojan monitors Skype communications, captures screen shots and may download and execute arbitrary files.
Installation
This trojan may be installed by another process and may be present in the Windows system folder as the following:
- %windir%\System32\mfc42ul.dll
The registry is modified to run the malware at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "AppInit_DLLs"
With data: "%windir%\System32\mfc42ul.dll"
Payload
Installs additional component
- %windir%\System32\winsys32.sys
This component is used by the backdoor to perform the following actions:
- Delete or rename protected files by modifying registry data
- Modify other registry data
- Modify file information properties of files
- Create or modify files
- Link to \\Device\KeyboardClassC to capture keystrokes
For more information about Trojan:Win32/R2d2.A!rootkit, see the description elsewhere in the encyclopedia.
Communicates with a remote server
Backdoor:Win32/R2d2.A is only activated for the following set of processes:
explorer.exe
Skype.exe
SkypePM.exe
msnmsgr.exe
yahoomessenger.exe
x-lite.exe
sipgatexlite.exe
Backdoor:Win32/R2d2.A connects to a remote server to listen for commands from an attacker. Commands could instruct the trojan to perform the following actions:
Monitor incoming and outgoing calls
Send collected Skype data, version information and online status to a remote server
Download and execute arbitrary files
Take desktop screen shots during web browsing with the following applications:
firefox.exe
iexplore.exe
opera.exe
navigator.exe
seamonkey.exe
Analysis by Jireh Sanico
Prevention