Ramdo
Symptoms
The following files may exist:
- %UserProfile%\Start Menu\Programs\Startup\AodbeARMHelper.exe
- %AppData%\Adobe\AcorIEHelper.dll
Analysis
This detects activities of the Ramdo bot.
Once it is installed in the system, Ramdo may drop the following files:
- %UserProfile%\Start Menu\Programs\Startup\AodbeARMHelper.exe : This file is a copy of itself and allows the malware to run on startup.
- %AppData%\Adobe\AcorIEHelper.dll : This file is a modified copy of the malware.
It creates a mutex named d05530cd-fdf5-41d8-9f96-5d4a5250a310qK-ffffffff to make sure that only one instance of itself is running.
It spawns a child process named services.exe.
It uses a domain generating algorithm (DGA) to generate domain names that it will attempt to connect to.
The original copy of the malware is deleted after execution.
Instructions
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.