TROJ_HYDRAQ.SMA

 Analysis by: adel

 PLATFORM:

Windows 98, ME, NT, 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This Trojan has received attention from independent media sources and/or other security firms.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan may be downloaded by other malware/grayware from remote sites.

As of this writing, the said sites are inaccessible.

  TECHNICAL DETAILS

Ports:

TCP Port 443

File Size:

Varies

File Type:

PE

Memory Resident:

Yes

Initial Samples Received Date:

14 Jan 2010

Arrival Details

This Trojan may be downloaded by the following malware/grayware from remote sites:

  • JS_DLOADER.FIS

Installation

This Trojan drops the following component file(s):

  • %System%\Rasmon.dll - also detected as TROJ_HYDRAQ.SMA

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This Trojan registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RaS{Random}
ImagePath = %System%\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Ups{Random}
ImagePath = %System%\svchost.exe -k netsvcs

Other System Modifications

This Trojan adds the following registry keys:

HKEY_LOCAL_MACHINE\Software\Sun\
1.1.2
AppleTlk =  

HKEY_LOCAL_MACHINE\Software\Sun\
1.1.2
IsoTp =  

Backdoor Routine

This Trojan opens the following ports:

  • TCP port 443

Download Routine

As of this writing, the said sites are inaccessible.

Other Details

Based on analysis of the codes, it has the following capabilities:

  • Clear event logs
  • Execute MDM.EXE using %System%\cmd.exe
  • Execute other files
  • List drives
  • List services
  • Send and receive data from a remote site
  • Terminate processes
  • Terminate/delete services

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It connects to the following possibly malicious URL:

  • 360.{BLOCKED}meunix.com - points to the loopback address, 127.0.0.1/127.0.0.2
  • {BLOCKED}.{BLOCKED}.5.164

  SOLUTION

Minimum Scan Engine:

8.900

FIRST VSAPI PATTERN FILE:

6.784.05

FIRST VSAPI PATTERN DATE:

19 Jan 2010

VSAPI OPR PATTERN File:

6.785.00

VSAPI OPR PATTERN Date:

19 Jan 2010

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove the malware/grayware file dropped/downloaded by TROJ_HYDRAQ.SMA

    JS_DLOADER.FIS

Step 3

Scan your computer with your Trend Micro product and note files detected as TROJ_HYDRAQ.SMA

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\Software
    • Sun
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • RaS{random}
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • Ups{random}

Step 5

Search and delete these components

[ Learn More ]
There may be some components that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result. DATA_GENERIC
  • In the Look In drop-down list, select My Computer then press Enter.
  • Once located, select the file then press SHIFT+DELETE to delete it.
  • Repeat the said steps for all files listed.
  • • For Windows Vista and Windows 7 users:

    1. Click Start>Computer.
    2. In the Search input box, type:
      DATA_GENERIC
    3. Once located, select the file then press SHIFT+DELETE to delete it.
    4. Repeat the said steps for all files listed.
      *Note: Read the following Microsoft page if these steps do not work on Windows 7.

    Step 6

    Search and delete the file detected as TROJ_HYDRAQ.SMA

    [ Learn More ]


    Did this description help? Tell us how we did.