You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Redirection.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Redirection.A carries out the following actions:

  • It connects to the channel #!d! of the server neo<blocked>theneo.info through the port 1863. This way, it allows remote access to the computer and takes actions that compromise user confidentiality.
  • It starts an FTP server in order to download and run different files in the affected computer.
  • It obtains information about the system such as the IP address, operating system, free memory space, RAM memory and CPU clock speed.
  • It scans IP addresses in order to look for computers that have the program VNC installed. This application allows to access several systems remotely.
  • It steals passwords belonging to the program VNC and uses them to access that program. Some of the names it uses are the following:
    1234567890
    123, 1234, 12345, 123456, 1234567, 12345678, 1337, 4321, 654321, 7654321, 87654321.

    A
    abc, abcd, abcde, abcdef, abcdefgh, admin.

    B
    bass, bitch, bob, bobnob, boobs.

    C
    cam, change, changeme, coke, comp, computer, cool, crack, cracker.

    D
    dell, duck.

    F
    ftp, fuck.

    G
    god.

    H
    help, helpme, high.

    J
    jesus.

    K
    kkk, kool.

    L
    leet, love.

    M
    master, money, monkey.

    O
    owner.

    P
    paper, password, pimp, pimpin, porn.

    Q
    qwerty.

    R
    register, root, ryan.

    S
    server, sex, sexy.

    T
    test, testing, tom.

    W
    weed, whore shit.
  • In order to avoid its detection, it checks if any of the following files exist in the computer:
    BW2K
    filemon
    FILEVXD
    ICEDUMP
    NTICE
    regmon
    REGVXD
    SICE
    TWX2002
    If they existed, it would end its own execution.

Infection strategy 

Redirection.A creates the file LASS.EXE, which is a copy of the backdoor, in the following directories:

  • in the subfolder COMMON FILES\SYSTEM of the Program Files directory.
  • in the Documents and Settings directory.
    The subfolder SYSTEM and the file LASS.EXE have the following attributes: hidden and read only.

 

Redirection.A creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Windows Update = C:\Program Files\Common Files\System\lass.exe
    By creating this entry, Redirection.A ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List
    C:\Program Files\Common Files\System\lass.exe = C:\Program Files\Common Files\System\lass.exe:*:Enabled:Windows Update
  • HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List
    C:\Program Files\Common Files\System\lass.exe = C:\Program Files\Common Files\System\lass.exe:*:Enabled:Windows Update
    By creating these entries, Redirection.A bypasses the Windows firewall.

Means of transmission 

Redirection.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Redirection.A is 102,912 bytes in size.

Redirection.A creates a mutex called neo135 in order to ensure that only a copy of the Trojan is active at any moment.