Ramdo

Symptoms

The following files may exist:

• %UserProfile%\Start Menu\Programs\Startup\AodbeARMHelper.exe
• %AppData%\Adobe\AcorIEHelper.dll

Analysis

This detects activities of the Ramdo bot.

Once it is installed in the system, Ramdo may drop the following files:

• %UserProfile%\Start Menu\Programs\Startup\AodbeARMHelper.exe : This file is a copy of itself and allows the malware to run on startup.
• %AppData%\Adobe\AcorIEHelper.dll : This file is a modified copy of the malware.

It creates a mutex named d05530cd-fdf5-41d8-9f96-5d4a5250a310qK-ffffffff to make sure that only one instance of itself is running.

It spawns a child process named services.exe.

It uses a domain generating algorithm (DGA) to generate domain names that it will attempt to connect to.

The original copy of the malware is deleted after execution.

Instructions

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.