Home / malware Trojan:WinNT/Mediyes.A
First posted on 28 April 2010.
Source: SecurityHomeAliases :
Trojan:WinNT/Mediyes.A is also known as Trojan.Win32.Genome.igep (Kaspersky), W32/Genome.T (Norman), Win32/Agent.QQJ (ESET), Trojan.WinNT.Mediyes (Ikarus), TROJ_MEDIYES.A (Trend Micro).
Explanation :
Trojan:WinNT/Mediyes.A is a trojan that may be dropped by another malware. It hooks the following APIs to hide certain files and registry keys.
Top
Trojan:WinNT/Mediyes.A is a trojan that may be dropped by another malware. It hooks the following APIs to hide certain files and registry keys. Installation Trojan:WinNT/Mediyes.A may be dropped by another malware, detected as Trojan:Win32/Mediyes.A. It may arrive with the file name "mediasys.sys" and might not be visible when the system folder is viewed in Windows Explorer. It creates the following entry to register itself as a system service: Adds value: "ImagePath" With data: "<system folder>\mediasys.sys" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\mediasys Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Trojan:WinNT/Mediyes.A may create the system device \\Device\\MediaSys. Payload Hooks APIs Trojan:WinNT/Mediyes.A may hook the following APIs to hide certain files and registry keys:ZwCreateFile ZwOpenFile ZwZwQueryDirectoryFile ZwOpenProcess ZwOpenThread ZwOpenKey ZwEnumerateValueKey ZwSetValueKey
Analysis by Andrei Florin SaygoLast update 28 April 2010
