TROJ_HIDEFIL.ABI

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses common file icons to trick a user into thinking that the files are legitimate.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops a copy of itself in the following folders using different file names:

• %User Profile%\{random filename}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It uses common file icons to trick a user into thinking that the files are legitimate.

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random value} = %User Profile%\{random filename}.exe /{random one-character parameter}

Other System Modifications

This Trojan adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
AU
NoAutoUpdate = 1

It modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0

(Note: The default value data of the said registry entry is 1.)