Trend Micro - Securing Your Journey to the Cloud Business
Support
Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Emerging threat on ROVNIX

    • Updated:
    • 27 Jul 2018
    • Product/Version:
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Hosted Email Security 2.0
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • InterScan Web Security Virtual Appliance 5.6
    • InterScan Web Security Virtual Appliance 6.0
    • OfficeScan 10.6
    • OfficeScan 11.0
    • ScanMail for Lotus Domino 5.0 AIX
    • ScanMail for Lotus Domino 5.0 Windows
    • ScanMail for Lotus Domino 5.0 zLinux
    • Trend Micro Email Security 1.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • N/A N/A
Summary

ROVNIX is a Trojan that usually arrives as attachment on spam mails. The spam mail uses social engineering in order to trick the user in opening and executing the attachment.

he attachment is a ZIP archive with the malware file inside. The malware uses at least two extension names: one acting as a decoy, and the other is the actual exe extension. Once user clicks the attachment thru outlook, a copy is created in a randomly-named subdirectory in temporary internet files folder.

The created file remains in that subdirectory even when you exit outlook.exe.

For further information on TROJ_ROVNIX variants that Trend Micro already detects, click here.

ROVNIX Infection Chain

Click image to enlarge.

Antispam Pattern

LAYERDETAILSPATTERN VERSIONRelease Date
EXPOSURESpam mailsAS10607/6/2015

VSAPI Pattern (Malicious File Detection)

LAYERDETECTIONPATTERN BRANCHRelease Date
INFECTIONTROJ_ROVNIX.SMWENT 10.842.056/5/2014
INFECTIONTROJ_ROVNIX.SMDENT 10.992.068/18/2014
INFECTIONTROJ_ROVNIX.SMEENT 10.995.008/19/2014
INFECTIONTROJ_ROVNIX.SM1ENT 11.181.009/29/2014
INFECTIONTROJ_HPROVNIX.SMAENT 12.177.0011/27/2015

WRS Pattern (Malicious URL and Classification)

LAYERDetectionClassificationRelease Date
CLEAN-UPromnsiebabanahujtr2{blocked}.orgC&C1/5/2016
CLEAN-UPitnhi4vg6cktylw2{blocked}.onionC&C1/5/2016
CLEAN-UPromnsiebabanahujtr{blocked}.orgC&C1/5/2016
CLEAN-UPromnsiebabanahujtr3{blocked}.orgC&C1/5/2016
CLEAN-UPwujadrin{blocked}.comC&C1/8/2016
CLEAN-UPtoykounn{blocked}.comC&C1/8/2016
CLEAN-UPlastooooomene2ie2e{blocked}.comC&C1/8/2016
CLEAN-UPupmisterfliremsnk{blocked}.netC&C1/8/2016
CLEAN-UPtornishineynarkkek2{blocked}.orgC&C1/8/2016

AEGIS Pattern (Behavior Monitoring Pattern)

LAYERDetectionPattern VersionRelease Date
DYNAMIC4158T (terminate)OPR 153304/12/2016
DYNAMIC4158F (feedback)OPR 152703/29/2016
DYNAMIC1910T (terminate)OPR 152103/08/2016
DYNAMIC1910F (feedback)OPR 151702/23/2016
DYNAMIC4157T (terminate)OPR 152703/29/2016
DYNAMIC4157F (feedback)OPR 152303/15/2016

DCT Pattern (System Clean Pattern)

LAYERDetectionPattern VersionReleased Date
CLEAN-UPTSC_GENCLEAN[existing][existing]

Network Pattern

LAYERDetectionPattern VersionRelease Date
CLEAN-UPHTTP_ROVNIX_REQUEST-4RR 1.10143.0001/29/2016
CLEAN-UPHTTP_ROVNIX_REQUEST-5RR 1.10143.0001/29/2016
 
Make sure to always use the latest pattern available to detect the old and new variants of TROJ_ROVNIX.
Details
Public

Solution Map - What should customers do?

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternAntispam PatternNetwork Pattern
OfficeScan10.6 and above








Update Pattern via web console


Update Pattern via web console








Enable Web Reputation Service*


Update Pattern via Web console

Not Applicable		Update Pattern via Web console
Worry Free Business SuiteStandard

Not Applicable
Advanced/MessagingUpdate Pattern via web console
Hosted
Deep Security8.0 and above



Not Applicable		Update Pattern via Web consoleNot ApplicableUpdate Pattern via Web console
ScanMailSMEX 10 and later



Not Applicable

Update Pattern via Web console

Not Applicable
SMD 5 and later
InterScan MessagingIMSVA 8.0 and above
InterScan WebIWSVA 6.0 and later
Deep DiscoveryDDI 3.0 and later
Not Applicable		Update Pattern via web console
DDAN
DDEI
 
* Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

Recommendations

Blog

Related reports

Premium
Internal
Rating:
Category:
Troubleshoot; SPEC
Solution Id:
1114101
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.