TROJ_RODECAP.SM

Posted: July 31, 2013

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	2,413
Threat Level:	9/10
Infected PCs:	23,882

First Seen:	July 31, 2013
Last Seen:	March 8, 2025
OS(es) Affected:	Windows

TROJ_RODECAP.SM is a backdoor Trojan that initiates contact with a malicious server to enable the remote control of your PC and/or the installation of additional malware. TROJ_RODECAP.SM's defenses also are relatively well-thought-out, and include the targeted blocking of specific security-related tools, as well as a spoof-based technique that obfuscates its malicious network traffic. Although removing TROJ_RODECAP.SM should be on the top of your list of priorities for preserving the safety of your computer, SpywareRemove.com malware experts warn that TROJ_RODECAP.SM only has very limited symptoms directly linked to its attacks, which may make TROJ_RODECAP.SM difficult to detect in the absence of appropriate anti-malware defenses.

TROJ_RODECAP.SM: Taking the Cap Off of Your PC Security and Draining It Dry

TROJ_RODECAP.SM, also identified as Trojan:Win32/Rodecap.A, is a backdoor Trojan designed for Windows PCs, with compatibility for most versions of that OS. Because TROJ_RODECAP.SM can't distribute itself, secondary PC threats like exploit kits or Trojan droppers usually are accomplices in the original attacks that result in TROJ_RODECAP.SM infections. SpywareRemove.com malware research team has confirmed that TROJ_RODECAP.SM's numbers still are relatively low, but also that TROJ_RODECAP.SM is in active distribution 'in the wild.'

TROJ_RODECAP.SM conducts several attacks by default, which are outlined as follows:

TROJ_RODECAP.SM modifies the Registry so that TROJ_RODECAP.SM will launch automatically with Windows. Its components may be disguised as Windows drivers.
Also via the Registry, TROJ_RODECAP.SM blocks several basic Windows programs. Current programs blocked include Registry Tools, the Task Manager and Folder Options – all of which would be helpful for disabling and removing TROJ_RODECAP.SM.
TROJ_RODECAP.SM's last attack doesn't concern the Registry at all, but, instead, is a standard network connection to communicate with a malicious server in Russia. SpywareRemove.com malware researchers warn that this traffic is spoofed to look like an image file from Google, which prevents network admins and other monitors of network traffic from identifying its malicious nature easily.

Plugging Up a TROJ_RODECAP.SM Network Breach

Since TROJ_RODECAP.SM's network connection can be used to launch additional attacks, including installing other malware, SpywareRemove.com malware researchers recommend removing TROJ_RODECAP.SM as soon as possible after the time of the original infection. While the majority of TROJ_RODECAP.SM's attacks are not particularly visible, any blocked access to crucial security utilities always should be treated as a symptom of an active security threat (and is a symptom TROJ_RODECAP.SM shares with many other types of malware, such as the fake anti-malware products of the Winwebsec family).

Deleting TROJ_RODECAP.SM and its attendant system changes should be within the realm of possibility for any competent anti-malware product. If TROJ_RODECAP.SM should happen to block your anti-malware software as well, SpywareRemove.com malware researchers suggest disabling TROJ_RODECAP.SM via Safe Mode or other security strategies that are known to be effective against automatic-startup Registry exploits.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%System%\mqtgsvc.exe

File name: %System%\mqtgsvc.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

%System%\drivers\esentutl.exe

File name: %System%\drivers\esentutl.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

%User Profile%\APPLIC~1\clipsrv.exe

File name: %User Profile%\APPLIC~1\clipsrv.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

%User Profile%\APPLIC~1\cmstp.exe

File name: %User Profile%\APPLIC~1\cmstp.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run Esent Utl = "%System%\drivers\esentutl.exe /waitservice"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run MqtgSVC = "%System%\mqtgsvc.exe /waitservice"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run CmSTP = "%User Profile%\APPLIC~1\cmstp.exe /waitservice"