Chinese Trojan infects the boot record

Posted: August 30, 2012 in Vulnerability News
Tags: ,

Doctor Web“Doctor Web”: Chinese Trojan infects the boot record

Malicious software includes eight functional modules: the installer, three drivers, shared library and a number of auxiliary components.

Experts of the company “Doctor Web” found a new Trojan horse that infects MBR hard disk. The main goal threat is referral to the author ‘trojan web-sites through the use of its browser.

According to experts, Trojan.Xytets was established in China. It includes eight functional modules installer, three drivers, shared library and a number of auxiliary components.

After running for a potential victim of the system, the Trojan checks if it is not loaded in the virtual machine, and is not being used on the victim machine debugger. When these applications are present on the system, the Trojan informs the remote server and exits.

When a computer is infected victims Trojan.Xytets saves on disk and registers a two drivers that perform specific functions Trojan. In addition, malicious code also runs its own firewall, which intercepts sent from the infected computer’s IP-packets. The firewall also prevents a user visits certain web-sites, the list of which is registered in the configuration file. The files are Trojan and malware drivers saved to disk twice in the file system and the end of the hard disk.

In “Doctor Web” indicate that one of the drivers malware scans processes that run on the infected system, and blocks execution of those that may hinder its work.

Trojan.Xytets hides some of the files stored on the disk and overwrites the master boot record, which allows him to take control in the process of loading the operating system.

The information that the Trojan sends to the server located in China intruders includes data on the infected computer, the versions of the operating system and the Trojan.

The report “Doctor Web” is available here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s