Backdoor.Rustock

Backdoor.Rustock is a Trojan horse with back door capabilities that allows a compromised computer to be used as a covert proxy. It uses rootkit techniques to hide its presence on the compromised computer.

When the Trojan is executed, it creates the following files:
%System%\drivers\I386P.SYS
%System%\MSCTL32.DLL

The Trojan then creates the following registry entries so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll\"Asynchronous" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll\"DllName" = "[NAME_OF_TROJAN_DLL].DLL"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll\"Impersonate" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll\"Startup" = "Startup"

The Trojan then creates an hidden device service with the following characteristics:
Display Name: i386p
Image Path: %System%\drivers\I386P.SYS

The above device is a kernel-mode rootkit that enables the Trojan to hide the files and registry subkey it creates. It may also play a role in any attempt by the Trojan to steal sensitive information.

The Trojan injects the dropped .dll file into WINLOGON process.

Next, the Trojan may download and install an ICQ program from the following Web site:
http://ftp.icq.com/pub/ICQ_WIN95_98_NT4/icq5_setup.exe

The Trojan then opens a covert proxy on a randomly-chosen TCP port on the compromised computer.

The Trojan also attempts to contact the following Web sites to download files and configuration information:
http://ftp.skystockfinance.cc
http://https.enjoyfit2006.biz
http://www2.firemonk2006.com

The Trojan may also contact the following SMTP hosts using port 25:
mxs.mail.ru
smtp.yandex.ru
maila.microsoft.com

Summary