Content
Roarur.dr
- Type
- Trojan
- SubType
- Dropper
- Discovery Date
- 01/14/2010
- Length
- Varies
- Minimum DAT
- 5862 (01/15/2010)
- Updated DAT
- 5872 (01/25/2010)
- Minimum Engine
- 5.4.00
- Description Added
- 01/14/2010
- Description Modified
- 01/19/2010 1:49 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
For more information on Operation Aurora, see:
- Exploit-Comele - Operation Aurora (stage I - initial exploit)
- Roarur.dll - Operation Aurora (stage III - dropped/installed malware)
When executed the following file is dropped in to the %SYSDIR% folder
- %SystemDir%\Rasmon.dll
A batch file is created to delete the initial dropped file here:
- %SYSDIR%\DFS.bat
This DLL is detected as Roarur.dll trojan with the 5862 DATS.
Rasmon.dll is injected into SVCHOST.EXE and it creates an additional serice on the victims computer.
The following registry keys are created:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[% random 4 chars %]
- "ImagePath" = %SystemRoot%\svchost.exe -k netsvcs
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[% random 4 chars %]
- "Start"= 02, 00, 00, 00
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[% random 4 chars %]\Parameters
- "ServiceDll" = %SystemRoot%\rasmon.dll
An attempt to connect to the following remote server is made:
- 360.home[removed].com
Symptoms
- Presence of above mentioned activities.
- Presence of above mentioned files.
Method of Infection
This Trojan is known to be downloaded by the Exploit-Comele Trojan.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This is detection for a trojan which drops further malicious files on to the victims computer.
Aliases:
- Operation Aurora (stage II - downloaded malware)
Aliases
- Backdoor.Win32.Mdmbot (Ikarus)
- Backdoor:Win32/Mdmbot.A (Microsft)
- Backdoor:Win32/Mdmbot.B (Microsft)
- Backdoor:Win32/Mdmbot.C (Microsft)
- Backdoor:Win32/Mdmbot.D (Microsft)
- Trj/Roarur.A (Panda)
- TROJ_HYDRAQ.SMA (Trend Micro)
- Trojan.Hydraq (Symantec)
- W32/Roarur.NAF!tr.spy (Fortinet)
Characteristics
Characteristics -
For more information on Operation Aurora, see:
- Exploit-Comele - Operation Aurora (stage I - initial exploit)
- Roarur.dll - Operation Aurora (stage III - dropped/installed malware)
When executed the following file is dropped in to the %SYSDIR% folder
- %SystemDir%\Rasmon.dll
A batch file is created to delete the initial dropped file here:
- %SYSDIR%\DFS.bat
This DLL is detected as Roarur.dll trojan with the 5862 DATS.
Rasmon.dll is injected into SVCHOST.EXE and it creates an additional serice on the victims computer.
The following registry keys are created:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[% random 4 chars %]
- "ImagePath" = %SystemRoot%\svchost.exe -k netsvcs
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[% random 4 chars %]
- "Start"= 02, 00, 00, 00
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[% random 4 chars %]\Parameters
- "ServiceDll" = %SystemRoot%\rasmon.dll
An attempt to connect to the following remote server is made:
- 360.home[removed].com
Symptoms
Symptoms -
- Presence of above mentioned activities.
- Presence of above mentioned files.
Method of Infection
Method of Infection -
This Trojan is known to be downloaded by the Exploit-Comele Trojan.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A