Please note that the virus can replicate itself by infecting executable files and spreads with the help of VBscript code embedded in web pages. The virus consists of several modules and can embed content into loaded web pages (i.e., make web injections), redirect a browser to a site specified by criminals, and send information entered into web forms by a user to remote hosts. The screenshots below provide an example of scripts injected into page code by the malware.The following image shows the list of web addresses, to which access is blocked by Win32.Rmnet.12, as well as a list of search queries used to redirect the browser to a site belonging to the attackers. Win32.Rmnet also steals passwords stored by popular FTP clients, such as Ghisler, WS FTP, CuteFTP, FlashFXP, FileZilla, and Bullet Proof FTP. In addition, the malicious program runs an FTP server on the infected machine. The virus uses backconnect to access internal services. This enables the malware, for example, to connect to the FTP server running on the infected machine, even if the compromised computer does not have a dedicated external IP address. Another Win32.Rmnet.12 component is able to execute commands received from a remote command center and transfer information gathered in the infected system to criminals.The Trojan's geographical reach has not changed much in the last few months: the largest number of infected computers resides in (22.6%). comes second (15.8%), followed by (13.2%), (7 9%), (4.9%), and (3.5%). accounts for 2.8% of the total botnet, and the respective quantity is much greater than a month ago. Doctor Web continues to closely monitor the botnet’s operation.
View the article