Intel Security
open

RDN/Ransom!dv

This page shows details and results of our analysis on the malware RDN/Ransom!dv

Download Current DAT

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Win32
  • Protection Added: 2013-11-21

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Kaspersky  -    Trojan-Ransom.Win32.PornoAsset.cjwp
  • Microsoft  -    VirTool:Win32/CeeInject.gen!KK
  • Symantec  -    Trojan.ADH.2    
  • Drweb         -    Trojan.DownLoader9.22851


Minimum Engine

5600.1067

File Length

Varies

Description Added

2013-11-21

Description Modified

2013-11-30

Malware Proliferation

"RDN/Ransom!dv"  is a detection for the Trojan which downloads other payloads.

Upon execution the Trojan injects itself into the explorer.exe and tries to connect the below IP address through remote port https.
  • 1.0.168.[removed]addr.arpa
  • pi-forwa[removed].com
  • 193.[removed].113
  • 113.210.[removed]-addr.arpa
  • powered-[removed]on.com
  • 109.[removed].245
  • 113.[removed].193.in-addr.arpa
  • 245.[removed].109.in-addr.arpa
  • PTR lh2[removed]xility.net
The following registry keys have been added to the system
  • HKEY_LOCAL_MACHINE\SOFTWARE\Yrhhcxxioa
  • HKEY_USERS\S-1-5-[Varies]\Software\Yrhhcxxioa


The following registry values have been added to the system:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Yrhhcxxioa\License: 0x000001C8
  • HKEY_USERS\S-1-5-[Varies]\Software\Yrhhcxxioa\License: 0x000001C8
Presence of above mentioned activity

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, spam etc.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).