This trojan is dropped by the Roarur.dr trojan.
It creates an additional Service on the victims computer and checks for the presence of certain files on the system.
5862 (2010-01-15)Updated DAT
-- Update Jan. 19, 2010 --
After in depth analysis of updated samples of Roarur.DLL, the following information regarding the backdoor capabilities was uncovered:
The following filenames were seen for DLLs associated with this detection:
The file acelpvc.dll was identified as malicious, loaded by rasmon.dll to connect to any arbitrary IP:PORT chosen by the attacker. It imports VedioDriver.dll to allow it to monitor keyboard and mouse usage.
The samples above connect to one of the following domains:
The malware connect to port 443 but the communication protocol is not SSL. It is a custom encrypted protocol.
When installed on the system, the backdoor has full control of the system. These are some of the capabilities identified:
This Trojan is stage III of Operation Aurora, for more information on Operation Aurora, see:
When executed this trojan creates a service on the victim's computer and modifies the following registry keys:
Different variants have been observed using different file names, services names and dll locations. For example:
The DLL (RASMON.DLL) is injected into the SVCHOST.EXE and performs the following functions:
Connection to the following remote server is made (new variants have been captured that connect to different servers):
The trojan accepts commands from the controlling host. Different variants have different capabilities including:
The backdoor gathers the following information from the victims machine and sends it back to the server:
Informations are stored in an encrypted file in windows/system32/drivers/etc/networks.ics file.
For more details on the communication protocol, see:
This threat is dropped by Roarur.dr