Effects
Ryknos.A carries out the following actions:
- It connects to the port 8080 of the following IP addresses:
5.10.203.93
24.210.44.45
152.7.24.186
68.101.14.76
67.171.67.190
- Through that port, it receives remote control commands to carry out on the affected computer. It can delete, download and run files, for example.
Infection strategy
Ryknos.A creates the file $SYS$DRV.EXE in the Windows system directory. This file is a copy of the backdoor.
Note: The name of this file has been chosen carefully: in computers in which the Digital Rights Management software from Sony is installed, the rootkit included in that software hides every file whose name begins with the characters $SYS$ from the Windows Explorer, etc.
Ryknos.A creates the following entry in the Windows Registry:
- HKEY_CURRENT_USER\ WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj
$sys$drv = $sys$drv.exe
The path of this entry was intended to be HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run, but due to some bugs (programming errors), the backdoor fails to successfully decrypt the text string.
The aim of the entry was to run Ryknos.A whenever Windows was started.
Means of transmission
Ryknos.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Further Details
Ryknos.A is written in the language C with the compiler LCC-Win32. This backdoor is 10,240 bytes in size, and it is compressed with UPX.
>