This application requires Javascript for optimal performance.

WinCE/Redoc.K!tr - Released Mar 29, 2009 - Last Updated Apr 07, 2009

Alias/es

Trojan-SMS.WinCE.Redoc.k

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Abnormally high phone bill
  • Applications start unexpectedly, in particular at 11:23
  • The following files exist:
    • sdset.dll in the Windows directory
    • launch.dll
    • stek.dll

    Detailed Analysis

    This malware sends an SMS message (without user's consent and at his/her own expense) and automatically starts up pre-defined programs.

    This malware is similar to WinCE/Redoc.C!tr, except its malicious payload is slightly different:
    • pre-defined programs are automatically started. In particular, applications may be started at a given time of the day such as 11:23
    • a single SMS message is sent, to a premium phone number.
    • the malware's configuration file is named sdset.dll. It is located in the Windows directory. It specifies the text of the SMS and phone number.

    Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 806807