Malware Trojan.Hytets

Posted: August 29, 2012 in Encyclopedia viruses
Tags:

Virus AlertMalware Trojan.Hytets – multi bootkit

Added to the virus database Dr.Web: 2012-08-17

Inserted 29/08/2012

A multi bootkit is written in C, is able to hide its own presence in the infected system. Includes 8 components, including three drivers.

Has a functional antidebuggings: startup checks whether it is loaded in a virtual machine is not being used in the OS application debugger. Checks the number of infected computer applications used for billing in Chinese Internet cafes.

Components:

– Installer;

– Picture cp.exe;

– Driver NtHook.sis;

– Driver beep.sis;

– Driver Startdriver;

– Library safemon.dal;

– IDB;

– Shell-code, which is loaded in the MBR.

Features:

– Substitution of popular browsers start page URL to the site belonging to criminals;

– Implementation of http-redirects;

– Loading and running of executable files;

– Saving shortcut in the Quick Launch Windows, in your “Favorites” on the Desktop;

– Schedule for the Microsoft Internet Explorer and open it to the attacker Web page;

– Blocking access to several Web sites in advance of the generated list;

– Blocking run certain applications on a pre-generated list;

– Hiding files on disk;

– Infection MBR.

Supported browsers and applications:

– SERVICES.EXE;
– EXPLORER.EXE;
– IEXPLORE.EXE;
– QQBROWSER.EXE;
– SOGOUEXPLORER.EXE;
– 360SE.EXE;
– GREENBROWSER.EXE;
– FIREFOX.EXE;
– MAXTHON.EXE;
– THEWORLD.EXE;
– OPERA.EXE;
– CHROME.EXE;
– SAFARI.EXE;
– NAVIGATOR.EXE;
– TTRAVELER.EXE;
– 115BR.EHE;
– CORAL.EHE.

The management server is located in China. Trojan.Xytets has extensive functionality, allowing to hide their own presence in the infected system, so that the threat can also be classified as rootkits.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s