Home / malwarePDF  

Trojan:WinNT/Mediyes.B


First posted on 11 April 2012.
Source: Microsoft

Aliases :

Trojan:WinNT/Mediyes.B is also known as W32/Mediyes.B.gen!Eldorado (Command), Trojan.Mediyes!nFi4s1lJs1g (VirusBuster), Trojan horse Hider.PQZ (AVG), TR/Rootkit.Gen (Avira), Trojan.Mediyes.1 (Dr.Web), Win32/Mediyes.E trojan (ESET), Trojan.Win32.Hider (Ikarus).

Explanation :

Trojan:WinNT/Mediyes.B is a rootkit driver that is installed by the Mediyes malware family, a multi-component trojan that steals account information for online payment systems.


Top

Trojan:WinNT/Mediyes.B is a rootkit driver that is installed by the Mediyes malware family, a multi-component trojan that steals account information for online payment systems.



Installation

Trojan:WinNT/Mediyes.B may be installed by other malware, such as TrojanDropper:Win32/Mediyes.C, and registered as a system service.

Trojan:WinNT/Mediyes.B has a file name with the following format:

<system folder>\drivers\hid<random characters>.sys

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

For example:

  • <system folder>\drivers\hidiun4f.sys
  • <system folder>\drivers\hidwutp3.sys
  • <system folder>\drivers\hiddvy3v.sys
  • <system folder>\drivers\hid2alpz.sys


It may create the following registry key as part of its service installation:

HKLM\SYSTEM\CurrentControlSet\Services\hid<random characters>

For example:

HKLM\SYSTEM\CurrentControlSet\Services\hidiun4f
HKLM\SYSTEM\CurrentControlSet\Services\hiddvy3
HKLM\SYSTEM\CurrentControlSet\Services\hid2alp
HKLM\SYSTEM\CurrentControlSet\Services\hidiun4f
HKLM\SYSTEM\CurrentControlSet\Services\hidwutp



Payload

Hides processes

Trojan:WinNT/Mediyes.B is a rootkit component that is able to perform the following actions:

  • Hide itself
  • Hide processes and registry keys
  • Inject code into running processes




Analysis by Mihai Calota

Last update 11 April 2012

 

TOP

Malware :

Family: