02/18/2015

Trojan.Didytak.B

Type:  Trojan
Discovered:  18.02.2015
Updated:  18.02.2015
Affected systems:  Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
AV Vendor:  Symantec

Description:

The Trojan is downloaded onto the compromised computer by the following malware:

• Trojan.Didytak

Once executed, the Trojan creates the following files:

• %Temp%\mci[RANDOM DIGITS].tmp
• [PATH TO MALWARE]\ICSharpCode.SharpZipLib.dll
• [PATH TO MALWARE]\SystemService.exe
• [PATH TO MALWARE]\Temp/laston.on
• [PATH TO MALWARE]\rec.exe
• [PATH TO MALWARE]\set.info
• [PATH TO MALWARE]\updater.exe

The Trojan also creates the following folders:

• [PATH TO MALWARE]\Temp/Sounds
• [PATH TO MALWARE]\Temp/xCryptoTmp

Next, the Trojan creates the following registry entry so that it runs every time Windows starts:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"ATIDriver" = "[PATH TO MALWARE]\updater.exe"

The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:

• Take screenshots
• Download, upload, and execute files
• End processes
• Compress a specified path
• Delete a specified path
• Create folders
• Copy, move, and rename files

The Trojan may also gather the following information from the compromised computer:

• Operating system version
• Domain name
• User name
• Host name
• Country the computer is located in
• Global IP address
• Local IP address
• List of running processes, including process IDs
• List of files and files sizes from a specified folder
• List of available drives

The Trojan then connects to the following remote location to receive commands and upload stolen information:

• linksis.info