Protégez votre univers

Nos autres ressources

  • — utilitaires gratuits, plugins, widgets
  • — service Internet pour les prestataires de services Dr.Web AV-Desk
  • — l'utilitaire de désinfection réseau Dr.Web CureNet!

Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230


Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230



Added to the Dr.Web virus database: 2012-04-19

Virus description added:

A complex multi-component file infector written in C and Assembly. It adds the rmnsoft.dll and modules.dll libraries to the browser, saves the driver into a temporary folder and runs it as a Microsoft Windows Service. Then it copies the virus body into a temporary directory and a startup folder with a random name and the .exe extension.

The backdoor can execute commands received from the remote server, in particular, download and run any files, update itself, take screenshots and send them to the criminals, and even render the operating system non-operational. It uses a digital signature to sign the IP address of a command and control server, while the addresses of the command and control servers are generated dynamically.

Virus components and configuration file, downloaded by the backdoor, are stored in the encrypted log file in the % APPDATA% folder. The module implemented in the modules.dll file loads data from the file with the .log extension and performs all the manipulations with the loaded code in the computer's RAM, so the components' code is not decrypted onto the hard drive.

The virus is able to stop anti-virus processes and modify the MBR. It stores its files at the end of the disk. When rebooting, the control is transferred to the infected MBR which reads and decrypts modules in the memory and then runs them.

It downloads the following modules: Ftp Grabber v2.0, Anonymous Ftp Server v1.0, Hide Browser v1.1, Hooker 3 Spy module. The virus has the polymorphic infector and infects files starting from the entry point , its body is in resources under the random name.

Editeur russe des solutions antivirus Dr.Web

Expérience dans le développement depuis 1992

Les internautes dans plus de 200 pays utilisent Dr.Web

L'antivirus est fourni en tant que service depuis 2007

Support 24/24

© Doctor Web
2003 — 2019

Doctor Web - éditeur russe des solutions antivirus Dr.Web. Doctor Web développe les produits Dr.Web depuis 1992.

333b, Avenue de Colmar, 67100 Strasbourg