Home / malware VirTool:WinNT/Xiaoho
First posted on 19 March 2013.
Source: MicrosoftAliases :
VirTool:WinNT/Xiaoho is also known as Win-Trojan/Rootkit.4224.C (AhnLab), Trojan-Dropper.Win32.Agent.vbl (Kaspersky), TR/Drop.Agent.vbl.10 (Avira), Trojan.MulDrop2.62855 (Dr.Web), Hack.Xiaoho!38C5 (Rising AV).
Explanation :
Installation
VirTool:WinNT/Xiaoho may have the file name "BundKilling.sys" in either the %Temp% or <system folder> folder.
Note:
- %Temp% refers to a variable location that is determined by the malware by querying the operating system. In Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user name>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp"
- <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and W8 it is "C:\Windows\System32"
VirTool:WinNT/Xiaoho is registered as a service so that it automatically runs every time Windows starts:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\PspKiller
Sets value: "ServiceName"
With data: "PspKiller"
Sets value: "DisplayName"
With data: "PspKiller"
Sets value: "BinaryPathName"
With data: "%Temp%\BundKilling.sys"
Payload
Stops target processes from running
VirTool:WinNT/Xiaoho stops target processes from running. This functionality is often used by other malware as part of their malicious activities. In the wild, this code has been found in the following malware:
- Backdoor:Win32/Hupigon.DZ
- VirTool:Win32/Obfuscator.EH
Analysis by Steven Zhou
Last update 19 March 2013
