TROJ_HYDRAQ.SMA
Windows 98, ME, NT, 2000, XP, Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan has received attention from independent media sources and/or other security firms.
To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.
This Trojan may be downloaded by other malware/grayware from remote sites.
As of this writing, the said sites are inaccessible.
TECHNICAL DETAILS
TCP Port 443
Varies
PE
Yes
14 Jan 2010
Arrival Details
This Trojan may be downloaded by the following malware/grayware from remote sites:
- JS_DLOADER.FIS
Installation
This Trojan drops the following component file(s):
- %System%\Rasmon.dll - also detected as TROJ_HYDRAQ.SMA
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
Autostart Technique
This Trojan registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RaS{Random}
ImagePath = %System%\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Ups{Random}
ImagePath = %System%\svchost.exe -k netsvcs
Other System Modifications
This Trojan adds the following registry keys:
HKEY_LOCAL_MACHINE\Software\Sun\
1.1.2
AppleTlk =
HKEY_LOCAL_MACHINE\Software\Sun\
1.1.2
IsoTp =
Backdoor Routine
This Trojan opens the following ports:
- TCP port 443
Download Routine
As of this writing, the said sites are inaccessible.
Other Details
Based on analysis of the codes, it has the following capabilities:
- Clear event logs
- Execute MDM.EXE using %System%\cmd.exe
- Execute other files
- List drives
- List services
- Send and receive data from a remote site
- Terminate processes
- Terminate/delete services
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
It connects to the following possibly malicious URL:
- 360.{BLOCKED}meunix.com - points to the loopback address, 127.0.0.1/127.0.0.2
- {BLOCKED}.{BLOCKED}.5.164
SOLUTION
8.900
6.784.05
19 Jan 2010
6.785.00
19 Jan 2010
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Remove the malware/grayware file dropped/downloaded by TROJ_HYDRAQ.SMA
- JS_DLOADER.FIS
Step 3
Scan your computer with your Trend Micro product and note files detected as TROJ_HYDRAQ.SMA
Step 4
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\Software
- Sun
- Sun
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- RaS{random}
- RaS{random}
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- Ups{random}
- Ups{random}
Step 5
Search and delete these components
• For Windows Vista and Windows 7 users:
- Click Start>Computer.
- In the Search input box, type:
DATA_GENERIC - Once located, select the file then press SHIFT+DELETE to delete it.
- Repeat the said steps for all files listed.
*Note: Read the following Microsoft page if these steps do not work on Windows 7.
Step 6
Search and delete the file detected as TROJ_HYDRAQ.SMA
Did this description help? Tell us how we did.