Home / malwarePDF  

Trojan:WinNT/Mediyes.A


First posted on 28 April 2010.
Source: SecurityHome

Aliases :

Trojan:WinNT/Mediyes.A is also known as Trojan.Win32.Genome.igep (Kaspersky), W32/Genome.T (Norman), Win32/Agent.QQJ (ESET), Trojan.WinNT.Mediyes (Ikarus), TROJ_MEDIYES.A (Trend Micro).

Explanation :

Trojan:WinNT/Mediyes.A is a trojan that may be dropped by another malware. It hooks the following APIs to hide certain files and registry keys.
Top

Trojan:WinNT/Mediyes.A is a trojan that may be dropped by another malware. It hooks the following APIs to hide certain files and registry keys. Installation Trojan:WinNT/Mediyes.A may be dropped by another malware, detected as Trojan:Win32/Mediyes.A. It may arrive with the file name "mediasys.sys" and might not be visible when the system folder is viewed in Windows Explorer. It creates the following entry to register itself as a system service: Adds value: "ImagePath" With data: "<system folder>\mediasys.sys" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\mediasys Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Trojan:WinNT/Mediyes.A may create the system device \\Device\\MediaSys. Payload Hooks APIs Trojan:WinNT/Mediyes.A may hook the following APIs to hide certain files and registry keys:

  • ZwCreateFile
  • ZwOpenFile
  • ZwZwQueryDirectoryFile
  • ZwOpenProcess
  • ZwOpenThread
  • ZwOpenKey
  • ZwEnumerateValueKey
  • ZwSetValueKey


  • Analysis by Andrei Florin Saygo

    Last update 28 April 2010

     

    TOP