Trojan.Win32.Refroso

Bookmark and Share

1. What is the Trojan.Win32.Refroso

Trojan.Win32.Refroso is a destructive and malicious trojan designed to steal information from an infected system and send the compromised data to a remote server. Trojan.Win32.Refroso, or Trojan-Spy.Win32.VB, may open a security hole that allows the download and installation of malware programs onto an infected system. Aside from gathering system information, Trojan-Trojan.Win32.Refroso may initiate computer performance problems. Trojan.Win32.Refroso is a security risk and should be removed.

 

2.Technical Details:

 

a. The following files were created in the system:

 

No. Filename Size
1 %CommonPrograms%\Startup\sara.exe
[file and pathname of the sample #1]
%Windir%\winrsv.ini\winrsv.mov		 311,528 bytes
2 %AppData%\addons.dat 24,895 bytes
3 %Windir%\winrsv.ini\logg.dat 0 bytes
  • Notes:
    • %CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

b. The following directory was created:

  • %Windir%\winrsv.ini

c. Memory Modifications

  • Attention! The following processes were intentionally hidden from the user:

Process Name Main Module Size
IEXPLORE.EXE 102,400 bytes

  • There were new memory pages created in the address space of the system process(es):

Process Name Process Filename Allocated Size
explorer.exe %Windir%\explorer.exe 20,480 bytes

d. Registry Modifications

  • The following Registry Keys were created:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Gooele Update
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
    • HKEY_CURRENT_USER\Software\Gooele Update
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}]
      • stubpath = "%Windir%\winrsv.ini\winrsv.mov s"

      so that winrsv.mov runs every time Windows starts
       
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Gooele Update]
      • nck = 88 5E 5A 9A 29 98 33 EE 92 09 11 E5 26 7E 5B 67
    • [HKEY_CURRENT_USER\Software\Gooele Update]
      • klg = 01
      • plg1 = EA 44 DC 02 A3 27 D7 5F 11 AD B9 07 DA F2 35 03 2A 35 8E 58 1B 0E 11 94 D4 F9 28 1F 11 4D 98 BC D2 64 44 8E CD F9 B9 BA 23 BD 45 ED 15 A6 77 AF B8 7C 04 4D 90 91 58 5F 81 61 19 72 00 4E 53 06 BD BE 33 FC 44 38 26 56 14 E7 3F 84 AB B3 1D F6 FE DC B1 1

  • e. Other details

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    196.221.73.94 81

     

    3. How-to's

    a. How to prevent the  Trojan.Win32.Refroso ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan.Win32.Refroso   Manually?

    Step 1 : Stop the following Trojan.Win32.Refroso.cxc processes
    %System%\data\data32.exe

    Step 2 : Remove the following Trojan.Win32.Refroso.cxc registry keys
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1830D8F5-834A-13C4-38C9-2041E933D1D5}
    HKEY_LOCAL_MACHINE\SOFTWARE\system32
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
    HKEY_CURRENT_USER\Software\system32

    Step3: Locate and delete the following Trojan.Win32.Refroso.cxc files

    %System%\data\data32.exe
    %System%\data\logg.dat

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•