Russian antivirus company Dr. Web discovered a new variant of Win32.Rmnet.12 malware used to infect over 1 mil PCs around the world. Win32.Rmnet.16 is more advanced than its predecessor. It uses digitally signed IP-addresses of C&Cs along with updated main functional modules.
According to recent study, the botnet consists of 55 310 zombies. 59% of infected PC`s are located in UK, 40% in Australia and 1.3% in US.
The malware was written in C and Assembly and consists of several functional modules. Upon arrival the malware inserts itself into a browser process, stores a driver into temporary folder and uses the Microsoft Windows Service name to conceal its presence on the system. Then it copies the virus body into temporary folder and startup folder under random names with .exe extension.
The downloaded virus components and settings are encrypted and stored in a file with extension .log and name that corresponds to a particular system configuration. This file resides in %APPDATA% folder. Malware component modules.dll reads data from .log file and reassembles it in RAM so that unencrypted data is not written to disk.
This variant also possesses functionality to end processes belonging to different AV solutions. Just like the previous version, the Win32.Rmnet.16 modifies MBR (Master Boot Record) and stores encrypted files at the end of the disk. The Ftp Grabber v2.0 equipped with standalone FTP server and spy module to steal passwords from popular FTP clients.