Home / malware Trojan:WinNT/Omexo.C
First posted on 29 March 2010.
Source: SecurityHomeAliases :
Trojan:WinNT/Omexo.C is also known as Rootkit.Agent.RYYH (VirusBuster), TR/Crypt.XDR.Gen (Avira), Gen:Rootkit.Heur.eC4@cW4eN6d (BitDefender), Trj/Downloader.MDW (Panda), Hacktool.Rootkit (Symantec).
Explanation :
Trojan:WinNT/Omexo.C is the detection for a malicious kernel mode driver that uses obfuscation techniques to hide its presence. It installs other malware into the computer, and it may be installed by a malware dropper.
Top
Trojan:WinNT/Omexo.C is the detection for a malicious kernel mode driver that uses obfuscation techniques to hide its presence. It installs other malware into the computer, and it may be installed by a malware dropper. InstallationUpon execution, installs itself as a kernel mode driver. It creates certain registry entries to ensure that it runs every time Windows starts, even in Safe Mode. It prevents any attempts to change its settings in the system registry, including under the following subkeys:HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal Trojan:WinNT/Omexo.C creates the event "\BaseNamedObjects\{614B3634-1589-C228-F84B-4A11C457413D55BE}"; it exits if the event is already present. It also creates threads and alters code in the following processes:explorer.exe services.exe csrss.exe In addition, it exits if it determines that the computer it is running on is a virtual machine, or if any debugger is running in the computer. Payload Modifies the system registryTrojan:WinNT/Omexo.C modifies or deletes "Shell" and "Imagepath" registry entries from the following sukbey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Note that by default the "Shell" entry has the data "explorer.exe". Loads other malwareTrojan:WinNT/Omexo.C contains an encryped DLL, which it loads directly into memory and attaches to the legitimate process "services.exe". The DLL is detected as Trojan:Win32/Omexo.C.
Analysis by Patrik VicolLast update 29 March 2010
