Trojan.Retapu.D( Trojan.Downloader.Small.AACD, Trojan-Downloader.Win32.Small.eqn, Trojan:Win32/Anomaly.gen!A )
SYMPTOMS: Presence of one or more of the following registry keys:- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WR - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WR\cmd - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WR\nextupdate - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WR\version A program named "retadpu.exe"in the task list which starts at Windows Startup under the name "runner1". TECHNICAL DESCRIPTION: Trojan.Retapu.D is a downloader, it's task is to download additional pieces of malware from the internet and run them on the infected computer.It downloads this file: http://XXX.a.wrs.mcboo.com/retadpu.exe and executes it after downloading. After this step is completed Trojan.Retapu.D exits. The newly downloaded file is copied into %windir% folder and then puts it into startup key so it runs at Windows startup everytime. It is also a downloader but similar to an updater: transfers additional components of the Retapu family on the infected computer on a regular basis (as to keep them with latest 'versions'). Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Daniel RADU, Virus Researcher |
