Malware Trojan.Hytets – multi bootkit
Added to the virus database Dr.Web: 2012-08-17
Inserted 29/08/2012
A multi bootkit is written in C, is able to hide its own presence in the infected system. Includes 8 components, including three drivers.
Has a functional antidebuggings: startup checks whether it is loaded in a virtual machine is not being used in the OS application debugger. Checks the number of infected computer applications used for billing in Chinese Internet cafes.
Components:
– Installer;
– Picture cp.exe;
– Driver NtHook.sis;
– Driver beep.sis;
– Driver Startdriver;
– Library safemon.dal;
– IDB;
– Shell-code, which is loaded in the MBR.
Features:
– Substitution of popular browsers start page URL to the site belonging to criminals;
– Implementation of http-redirects;
– Loading and running of executable files;
– Saving shortcut in the Quick Launch Windows, in your “Favorites” on the Desktop;
– Schedule for the Microsoft Internet Explorer and open it to the attacker Web page;
– Blocking access to several Web sites in advance of the generated list;
– Blocking run certain applications on a pre-generated list;
– Hiding files on disk;
– Infection MBR.
Supported browsers and applications:
– SERVICES.EXE;
– EXPLORER.EXE;
– IEXPLORE.EXE;
– QQBROWSER.EXE;
– SOGOUEXPLORER.EXE;
– 360SE.EXE;
– GREENBROWSER.EXE;
– FIREFOX.EXE;
– MAXTHON.EXE;
– THEWORLD.EXE;
– OPERA.EXE;
– CHROME.EXE;
– SAFARI.EXE;
– NAVIGATOR.EXE;
– TTRAVELER.EXE;
– 115BR.EHE;
– CORAL.EHE.
The management server is located in China. Trojan.Xytets has extensive functionality, allowing to hide their own presence in the infected system, so that the threat can also be classified as rootkits.