Home / malwarePDF  

Trojan.Cidox.C


First posted on 08 May 2014.
Source: Symantec

Aliases :

There are no other names known for Trojan.Cidox.C.

Explanation :

When the Trojan is executed, it creates the following files:
%System%\drivers\jwivs.sys%System%\drivers\yurip.sys
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\jwivsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\yurip
The Trojan modifies the NTFS boot sector's Initial Program Loader (IPL) so it can load malicious code directly from the disk.

NOTE: The modified NTFS IPL is detected as Boot.Cidox.

The Trojan writes its malicious components into the following encrypted file:
%System%\[RANDOM CHARACTERS].bin

The Trojan then deletes itself and reboots the computer.

The Trojan loads the malicious driver component into memory through the modified NTFS boot sector's IPL upon startup.

The Trojan may log keystrokes and save the stolen information in its own virtual file system.

The Trojan phones home by generating a domain name and completing the URL by appending the following string:
_hello.php?param=[DATA]

NOTE: [DATA] includes the following information:
HDD serial numberOS versionHost nameCurrent user namebotid
The Trojan sends the logged data to its servers.

Last update 08 May 2014

 

TOP