ROVNIX is a Trojan that usually arrives as attachment on spam mails. The spam mail uses social engineering in order to trick the user in opening and executing the attachment.
he attachment is a ZIP archive with the malware file inside. The malware uses at least two extension names: one acting as a decoy, and the other is the actual exe extension. Once user clicks the attachment thru outlook, a copy is created in a randomly-named subdirectory in temporary internet files folder.
The created file remains in that subdirectory even when you exit outlook.exe.
For further information on TROJ_ROVNIX variants that Trend Micro already detects, click here.
Click image to enlarge.
Antispam Pattern
LAYER | DETAILS | PATTERN VERSION | Release Date |
---|---|---|---|
EXPOSURE | Spam mails | AS1060 | 7/6/2015 |
VSAPI Pattern (Malicious File Detection)
LAYER | DETECTION | PATTERN BRANCH | Release Date |
---|---|---|---|
INFECTION | TROJ_ROVNIX.SMW | ENT 10.842.05 | 6/5/2014 |
INFECTION | TROJ_ROVNIX.SMD | ENT 10.992.06 | 8/18/2014 |
INFECTION | TROJ_ROVNIX.SME | ENT 10.995.00 | 8/19/2014 |
INFECTION | TROJ_ROVNIX.SM1 | ENT 11.181.00 | 9/29/2014 |
INFECTION | TROJ_HPROVNIX.SMA | ENT 12.177.00 | 11/27/2015 |
WRS Pattern (Malicious URL and Classification)
LAYER | Detection | Classification | Release Date |
---|---|---|---|
CLEAN-UP | romnsiebabanahujtr2{blocked}.org | C&C | 1/5/2016 |
CLEAN-UP | itnhi4vg6cktylw2{blocked}.onion | C&C | 1/5/2016 |
CLEAN-UP | romnsiebabanahujtr{blocked}.org | C&C | 1/5/2016 |
CLEAN-UP | romnsiebabanahujtr3{blocked}.org | C&C | 1/5/2016 |
CLEAN-UP | wujadrin{blocked}.com | C&C | 1/8/2016 |
CLEAN-UP | toykounn{blocked}.com | C&C | 1/8/2016 |
CLEAN-UP | lastooooomene2ie2e{blocked}.com | C&C | 1/8/2016 |
CLEAN-UP | upmisterfliremsnk{blocked}.net | C&C | 1/8/2016 |
CLEAN-UP | tornishineynarkkek2{blocked}.org | C&C | 1/8/2016 |
AEGIS Pattern (Behavior Monitoring Pattern)
LAYER | Detection | Pattern Version | Release Date |
---|---|---|---|
DYNAMIC | 4158T (terminate) | OPR 1533 | 04/12/2016 |
DYNAMIC | 4158F (feedback) | OPR 1527 | 03/29/2016 |
DYNAMIC | 1910T (terminate) | OPR 1521 | 03/08/2016 |
DYNAMIC | 1910F (feedback) | OPR 1517 | 02/23/2016 |
DYNAMIC | 4157T (terminate) | OPR 1527 | 03/29/2016 |
DYNAMIC | 4157F (feedback) | OPR 1523 | 03/15/2016 |
DCT Pattern (System Clean Pattern)
LAYER | Detection | Pattern Version | Released Date |
---|---|---|---|
CLEAN-UP | TSC_GENCLEAN | [existing] | [existing] |
Network Pattern
LAYER | Detection | Pattern Version | Release Date |
---|---|---|---|
CLEAN-UP | HTTP_ROVNIX_REQUEST-4 | RR 1.10143.00 | 01/29/2016 |
CLEAN-UP | HTTP_ROVNIX_REQUEST-5 | RR 1.10143.00 | 01/29/2016 |
Solution Map - What should customers do?
Major Products | Versions | Virus Pattern | Behavior Monitoring | Web Reputation | DCT Pattern | Antispam Pattern | Network Pattern |
---|---|---|---|---|---|---|---|
OfficeScan | 10.6 and above | Update Pattern via web console | Update Pattern via web console | Enable Web Reputation Service* | Update Pattern via Web console | Not Applicable | Update Pattern via Web console |
Worry Free Business Suite | Standard | Not Applicable | |||||
Advanced/Messaging | Update Pattern via web console | ||||||
Hosted | |||||||
Deep Security | 8.0 and above | Not Applicable | Update Pattern via Web console | Not Applicable | Update Pattern via Web console | ||
ScanMail | SMEX 10 and later | Not Applicable | Update Pattern via Web console | Not Applicable | |||
SMD 5 and later | |||||||
InterScan Messaging | IMSVA 8.0 and above | ||||||
InterScan Web | IWSVA 6.0 and later | ||||||
Deep Discovery | DDI 3.0 and later | Not Applicable | Update Pattern via web console | ||||
DDAN | |||||||
DDEI |
Recommendations
Blog
Related reports