This is the first time that I use Regkeval on a PC infected with Red October malware. Those are the registry keys that enable persistence of the malware:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows [Load]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [DotNet32]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [ctfmon32rt]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [LgfxTray]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [shmservice]
An excerpt of the output:
| Registry values | ||||
|---|---|---|---|---|
| Key | Value | Data | Key_Timestamp | Remarks |
| HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load&&Run,load=""-Run="" | ||||
| HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows | Load | C:\Documents and Settings\john\Datos de programa\Microsoft\RtkN32Gdi.exe | 2013-01-24T11:07:29Z | ntuser_john.dat [Expected: [Val:]] |
| HKU\Software\Microsoft\Windows\CurrentVersion\Run\:::vk:::, | ||||
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | CTFMON.EXE | C:\WINDOWS\system32\ctfmon.exe | 2012-11-14T11:43:12Z | ntuser_john.dat |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | DotNet32 | C:\Documents and Settings\john\Datos de programa\Microsoft\svchost.exe | 2012-11-14T11:43:12Z | ntuser_john.dat |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | ctfmon32rt | "C:\Documents and Settings\john\Datos de programa\Microsoft\ms32trayX.exe" | 2012-11-14T11:43:12Z | ntuser_john.dat |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | LgfxTray | "C:\Documents and Settings\john\Datos de programa\Microsoft\lgfxtray.exe" | 2012-11-14T11:43:12Z | ntuser_john.dat |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | shmservice | C:\Documents and Settings\john\Datos de programa\Microsoft\RtkN32Gdi.exe | 2012-11-14T11:43:12Z | ntuser_john.dat |
It's time to update the regkeval_val_malw_espec.tsv file with those new values:
RtkN32Gdi.exe RedOctober dos
Microsoft\svchost.exe RedOctober dos
ms32trayX.exe RedOctober dos
lgfxtray.exe RedOctober dos
