Clicky

Pages

Wednesday, January 20, 2010

Trojan.Hydraq detection and naming


Ok, it is not really a big deal, the trojan was in the wild since at least 2006 and Symantec just added a better name for it. It was discovered not on January 11, 2010 but much earlier. I like Hydraq better than just Trojan Horse, really. Why Hydraq? What prompted the name, I wonder.


Here is a Symantec blog entry linking Hydraq to attacks on Google Hydraq - An Attack of Mythical Proportions


Update Jan. 20, 2010 Please read more about IExplorer 0day CVE-2010-0249 – Exploit-Comele / Hydraq / Aurora  on from Extraexploit.blogspot.com here and here 

  
Update Jan 24, 2010  Download Hydraq
 As you see, Hydraq is well researched (http://blog.threatexpert.com/2010/01/trojanhydraq-part-ii.html) and most AV products detect the key files. I can provide the following files for antivirus and IT security companies/researchers.

c_1758.nls (ba3545841d8a40ed8493e22c0e70a72c)- copy of the trojan
Acelpvc.dll (4A47404FC21FFF4A1BC492F9CD23139C)- helper file
VedioDriver.dll (467EEF090DEB3517F05A48310FCFD4EE)- helper file


Results on January 17, 2010
http://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99&tabid=2


Discovered: January 11, 2010
Updated: January 11, 2010 2:59:20 PM
Also Known As: TROJ_HYDRAQ.A [Trend]
Type: Trojan
Infection Length: 81,920 bytes
Systems Affected: Windows 2000, Windows Server 2003, Windows Vista, Windows XP
This Trojan may arrive in an email or it may be dropped or downloaded by another threat.

When executed, the threat creates one of the following files:
%Temp%\c_1758.nls
%Temp%\[RANDOM FILE NAME]

It then creates a service with the following characteristic:
Service name: RaS[FOUR RANDOM CHARACTERS]



http://www.virustotal.com/analisis/160cb3d6c6e11a8c649a1d0ed33faf927ae6dc99e0c76ae1982720255867b38e-1263698531
File c_1758.nls received on 2010.01.17 03:22:11 (UTC)
Result: 25/41 (60.98%)
Antivirus     Version     Last Update     Result
a-squared     4.5.0.50     2010.01.16     CC.Agent.BA!IK
AhnLab-V3     5.0.0.2     2010.01.16     Win-Trojan/Agent.20480.PL
AntiVir     7.9.1.142     2010.01.16     CC/Agent.BA
Avast     4.8.1351.0     2010.01.16     Win32:Trojan-gen
BitDefender     7.2     2010.01.17     Trojan.Generic.1470226
CAT-QuickHeal     10.00     2010.01.16     Trojan.Agent.ATV
Comodo     3608     2010.01.17     UnclassifiedMalware
eSafe     7.0.17.0     2010.01.14     Win32.CCAgent.Ba
eTrust-Vet     35.2.7240     2010.01.15     Win32/Enuairs.A
F-Secure     9.0.15370.0     2010.01.16     Trojan.Generic.1470226
Fortinet     4.0.14.0     2010.01.16     PossibleThreat
GData     19     2010.01.17     Trojan.Generic.1470226
Ikarus     T3.1.1.80.0     2010.01.16     CC.Agent.BA
K7AntiVirus     7.10.949     2010.01.16     Trojan.Win32.Malware.1
McAfee+Artemis     5863     2010.01.16     Generic.dx
McAfee-GW-Edition     6.8.5     2010.01.16     Virus.Agent.BA
Microsoft     1.5302     2010.01.16     Trojan:Win32/Bumat!rts
nProtect     2009.1.8.0     2010.01.16     Trojan/W32.Agent.20480.KJ
Panda     10.0.2.2     2010.01.16     Generic Trojan
PCTools     7.0.3.5     2010.01.17     Trojan.Hydraq
Prevx     3.0     2010.01.17     Medium Risk Malware
Rising     22.30.06.01     2010.01.17     Trojan.Spy.Rasmon.a
Symantec     20091.2.0.41     2010.01.17     Trojan.Hydraq
TrendMicro     9.120.0.1004     2010.01.16     TROJ_Generic.ADV
Additional information
File size: 20480 bytes
MD5   : ba3545841d8a40ed8493e22c0e70a72c


Results on April 3, 2009


same file
 File c_1758.nls received on 2009.04.03 17:28:45 (UTC)
Result: 15/40 (37.50%)
a-squared     4.0.0.101     2009.04.03     CC.Agent.BA!IK
AhnLab-V3     5.0.0.2     2009.04.03     Win-Trojan/Agent.20480.PL
AntiVir     7.9.0.129     2009.04.03     CC/Agent.BA
Avast     4.8.1335.0     2009.04.03     Win32:Trojan-gen {Other}
BitDefender     7.2     2009.04.03     Trojan.Generic.1470226
eTrust-Vet     31.6.6434     2009.04.03     Win32/Enuairs.A
Fortinet     3.117.0.0     2009.04.03     PossibleThreat
K7AntiVirus     7.10.692     2009.04.03     Trojan.Win32.Malware.1
McAfee-GW-Edition     6.7.6     2009.04.03     Virus.Agent.BA
Rising     21.23.41.00     2009.04.03     Trojan.Spy.Rasmon.a
Symantec     1.4.4.12     2009.04.03     Trojan Horse
Additional information
File size: 20480 bytes
MD5...: ba3545841d8a40ed8493e22c0e70a72c




file timedatestamp.....: 0x44e1d7b3 (Tue Aug 15 14:18:27 2006)
The first known attack attempt using this trojan - December 20, 2006



Vediodriver.dll
http://www.virustotal.com/analisis/f0c78171b11b40f40e24dd9eaa8a3a381e1816ab8c3653aeb167e94803f90430-1264023110
f0c78171b11b40f40e24dd9eaa8a3a381 received on 2010.01.20 21:31:50 (UTC)

Result: 18/40 (45.00%)
a-squared 4.5.0.50 2010.01.20 RemoteAccess!IK
AntiVir 7.9.1.146 2010.01.20 APPL/Remote.RealVNC.95
AVG 9.0.0.730 2010.01.19 BackDoor.Agent.AFFU
ClamAV 0.94.1 2010.01.20 Trojan.Hydraq-3
Comodo 3650 2010.01.20 UnclassifiedMalware
eTrust-Vet 35.2.7249 2010.01.20 Win32/Aviror.A
Ikarus T3.1.1.80.0 2010.01.20 RemoteAccess
K7AntiVirus 7.10.951 2010.01.20 Trojan.Win32.Malware.1
McAfee 5867 2010.01.20 Roarur.dll
McAfee+Artemis 5867 2010.01.20 Roarur.dll
McAfee-GW-Edition 6.8.5 2010.01.20 Riskware.Remote.RealVNC.95
Microsoft 1.5302 2010.01.20 Backdoor:Win32/Mdmbot.C
Panda 10.0.2.2 2010.01.20 Trj/CI.A
PCTools 7.0.3.5 2010.01.19 Trojan.Hydraq
Sophos 4.50.0 2010.01.20 Mal/Spy-E
Symantec 20091.2.0.41 2010.01.20 Trojan.Hydraq
TrendMicro 9.120.0.1004 2010.01.20 TROJ_HYDRAQ.H
VirusBuster 5.0.21.0 2010.01.20 Backdoor.Mdmbot.B

File size: 8192 bytes
MD5   : 467eef090deb3517f05a48310fcfd4ee
SHA1  : 43d20c85e323b59e7971626a3c1fe1542ab945f7
SHA256: f0c78171b11b40f40e24dd9eaa8a3a381e1816ab8c3653aeb167e94803f90430
PEInfo: PE Structure information
entrypointaddress.: 0x1C37
timedatestamp.....: 0x4473474A (Tue May 23 19:32:58 2006)
machinetype.......: 0x14C (Intel I386)



http://www.virustotal.com/analisis/ce7debbcf1ca3a390083fe5753f231e632017ca041dfa662ad56095a500f2364-1264140003
 File acelpvc.dll received on 2010.01.22 06:00:03 (UTC)
Result: 21/41 (51.22%)
Antivirus     Version     Last Update     Result
a-squared     4.5.0.50     2010.01.22     Win32.SuspectCrc!IK
AhnLab-V3     5.0.0.2     2010.01.22     Win-Trojan/Mdmbot.136704
AntiVir     7.9.1.146     2010.01.21     APPL/Remote.RealVNC.94
BitDefender     7.2     2010.01.22     Trojan.Generic.2992679
ClamAV     0.94.1     2010.01.22     PUA.Packed.ASPack212
eTrust-Vet     35.2.7251     2010.01.21     Win32/Hydraq.A
F-Secure     9.0.15370.0     2010.01.22     Trojan.Generic.2992679
GData     19     2010.01.22     Trojan.Generic.2992679
Ikarus     T3.1.1.80.0     2010.01.22     Win32.SuspectCrc
Kaspersky     7.0.0.125     2010.01.22     Trojan.Win32.Genome.eraf
McAfee     5868     2010.01.21     Roarur.dll
McAfee+Artemis     5868     2010.01.21     Roarur.dll
McAfee-GW-Edition     6.8.5     2010.01.21     Riskware.Remote.RealVNC.94
Microsoft     1.5302     2010.01.21     Backdoor:Win32/Mdmbot.C
Panda     10.0.2.2     2010.01.21     Suspicious file
PCTools     7.0.3.5     2010.01.22     Trojan.Hydraq
Sunbelt     3.2.1858.2     2010.01.22     Trojan.Win32.Generic!BT
Symantec     20091.2.0.41     2010.01.22     Trojan.Hydraq
TrendMicro     9.120.0.1004     2010.01.22     TROJ_HYDRAQ.G
VirusBuster     5.0.21.0     2010.01.21     Backdoor.Mdmbot.A
Additional information
File size: 136704 bytes
MD5   : 4a47404fc21fff4a1bc492f9cd23139c



No comments:

Post a Comment