Ok, it is not really a big deal,
the trojan was in the wild since at least 2006 and
Symantec just added a better name for it. It was discovered not on
January 11, 2010 but much earlier. I like Hydraq better than just
Trojan Horse, really. Why Hydraq? What prompted the name, I wonder.
Here is a Symantec blog entry linking Hydraq to attacks on Google Hydraq - An Attack of Mythical Proportions.
Update Jan. 20, 2010 Please read more about IExplorer 0day CVE-2010-0249 – Exploit-Comele / Hydraq / Aurora on from Extraexploit.blogspot.com here and here
c_1758.nls (ba3545841d8a40ed8493e22c0e70a72c)- copy of the trojan
Acelpvc.dll (4A47404FC21FFF4A1BC492F9CD23139C)- helper file
VedioDriver.dll (467EEF090DEB3517F05A48310FCFD4EE)- helper file
Update Jan 24, 2010 Download Hydraq
As you see, Hydraq is well researched (http://blog.threatexpert.com/2010/01/trojanhydraq-part-ii.html) and most AV products detect the key files. I can provide the following files for antivirus and IT security companies/researchers. c_1758.nls (ba3545841d8a40ed8493e22c0e70a72c)- copy of the trojan
Acelpvc.dll (4A47404FC21FFF4A1BC492F9CD23139C)- helper file
VedioDriver.dll (467EEF090DEB3517F05A48310FCFD4EE)- helper file
Results on January 17, 2010
http://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99&tabid=2
Discovered: January 11, 2010
Updated: January 11, 2010 2:59:20 PM
Also Known As: TROJ_HYDRAQ.A [Trend]
Type: Trojan
Infection Length: 81,920 bytes
Systems Affected: Windows 2000, Windows Server 2003, Windows Vista, Windows XP
This Trojan may arrive in an email or it may be dropped or downloaded by another threat.When executed, the threat creates one of the following files:
%Temp%\c_1758.nls
%Temp%\[RANDOM FILE NAME]
It then creates a service with the following characteristic:
Service name: RaS[FOUR RANDOM CHARACTERS]
http://www.virustotal.com/analisis/160cb3d6c6e11a8c649a1d0ed33faf927ae6dc99e0c76ae1982720255867b38e-1263698531
File c_1758.nls received on 2010.01.17 03:22:11 (UTC)
Result: 25/41 (60.98%)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.01.16 CC.Agent.BA!IK
AhnLab-V3 5.0.0.2 2010.01.16 Win-Trojan/Agent.20480.PL
AntiVir 7.9.1.142 2010.01.16 CC/Agent.BA
Avast 4.8.1351.0 2010.01.16 Win32:Trojan-gen
BitDefender 7.2 2010.01.17 Trojan.Generic.1470226
CAT-QuickHeal 10.00 2010.01.16 Trojan.Agent.ATV
Comodo 3608 2010.01.17 UnclassifiedMalware
eSafe 7.0.17.0 2010.01.14 Win32.CCAgent.Ba
eTrust-Vet 35.2.7240 2010.01.15 Win32/Enuairs.A
F-Secure 9.0.15370.0 2010.01.16 Trojan.Generic.1470226
Fortinet 4.0.14.0 2010.01.16 PossibleThreat
GData 19 2010.01.17 Trojan.Generic.1470226
Ikarus T3.1.1.80.0 2010.01.16 CC.Agent.BA
K7AntiVirus 7.10.949 2010.01.16 Trojan.Win32.Malware.1
McAfee+Artemis 5863 2010.01.16 Generic.dx
McAfee-GW-Edition 6.8.5 2010.01.16 Virus.Agent.BA
Microsoft 1.5302 2010.01.16 Trojan:Win32/Bumat!rts
nProtect 2009.1.8.0 2010.01.16 Trojan/W32.Agent.20480.KJ
Panda 10.0.2.2 2010.01.16 Generic Trojan
PCTools 7.0.3.5 2010.01.17 Trojan.Hydraq
Prevx 3.0 2010.01.17 Medium Risk Malware
Rising 22.30.06.01 2010.01.17 Trojan.Spy.Rasmon.a
Symantec 20091.2.0.41 2010.01.17 Trojan.Hydraq
TrendMicro 9.120.0.1004 2010.01.16 TROJ_Generic.ADV
Additional information
File size: 20480 bytes
MD5 : ba3545841d8a40ed8493e22c0e70a72c
Results on April 3, 2009
same file
File c_1758.nls received on 2009.04.03 17:28:45 (UTC)
Result: 15/40 (37.50%)
a-squared 4.0.0.101 2009.04.03 CC.Agent.BA!IK
AhnLab-V3 5.0.0.2 2009.04.03 Win-Trojan/Agent.20480.PL
AntiVir 7.9.0.129 2009.04.03 CC/Agent.BA
Avast 4.8.1335.0 2009.04.03 Win32:Trojan-gen {Other}
BitDefender 7.2 2009.04.03 Trojan.Generic.1470226
eTrust-Vet 31.6.6434 2009.04.03 Win32/Enuairs.A
Fortinet 3.117.0.0 2009.04.03 PossibleThreat
K7AntiVirus 7.10.692 2009.04.03 Trojan.Win32.Malware.1
McAfee-GW-Edition 6.7.6 2009.04.03 Virus.Agent.BA
Rising 21.23.41.00 2009.04.03 Trojan.Spy.Rasmon.a
Symantec 1.4.4.12 2009.04.03 Trojan Horse
Additional information
File size: 20480 bytes
MD5...: ba3545841d8a40ed8493e22c0e70a72c
Result: 15/40 (37.50%)
a-squared 4.0.0.101 2009.04.03 CC.Agent.BA!IK
AhnLab-V3 5.0.0.2 2009.04.03 Win-Trojan/Agent.20480.PL
AntiVir 7.9.0.129 2009.04.03 CC/Agent.BA
Avast 4.8.1335.0 2009.04.03 Win32:Trojan-gen {Other}
BitDefender 7.2 2009.04.03 Trojan.Generic.1470226
eTrust-Vet 31.6.6434 2009.04.03 Win32/Enuairs.A
Fortinet 3.117.0.0 2009.04.03 PossibleThreat
K7AntiVirus 7.10.692 2009.04.03 Trojan.Win32.Malware.1
McAfee-GW-Edition 6.7.6 2009.04.03 Virus.Agent.BA
Rising 21.23.41.00 2009.04.03 Trojan.Spy.Rasmon.a
Symantec 1.4.4.12 2009.04.03 Trojan Horse
Additional information
File size: 20480 bytes
MD5...: ba3545841d8a40ed8493e22c0e70a72c
file timedatestamp.....: 0x44e1d7b3 (Tue Aug 15 14:18:27 2006)
The first known attack attempt using this trojan - December 20, 2006
Vediodriver.dll
http://www.virustotal.com/analisis/f0c78171b11b40f40e24dd9eaa8a3a381e1816ab8c3653aeb167e94803f90430-1264023110
f0c78171b11b40f40e24dd9eaa8a3a381 received on 2010.01.20 21:31:50 (UTC)
Result: 18/40 (45.00%)
a-squared 4.5.0.50 2010.01.20 RemoteAccess!IK
AntiVir 7.9.1.146 2010.01.20 APPL/Remote.RealVNC.95
AVG 9.0.0.730 2010.01.19 BackDoor.Agent.AFFU
ClamAV 0.94.1 2010.01.20 Trojan.Hydraq-3
Comodo 3650 2010.01.20 UnclassifiedMalware
eTrust-Vet 35.2.7249 2010.01.20 Win32/Aviror.A
Ikarus T3.1.1.80.0 2010.01.20 RemoteAccess
K7AntiVirus 7.10.951 2010.01.20 Trojan.Win32.Malware.1
McAfee 5867 2010.01.20 Roarur.dll
McAfee+Artemis 5867 2010.01.20 Roarur.dll
McAfee-GW-Edition 6.8.5 2010.01.20 Riskware.Remote.RealVNC.95
Microsoft 1.5302 2010.01.20 Backdoor:Win32/Mdmbot.C
Panda 10.0.2.2 2010.01.20 Trj/CI.A
PCTools 7.0.3.5 2010.01.19 Trojan.Hydraq
Sophos 4.50.0 2010.01.20 Mal/Spy-E
Symantec 20091.2.0.41 2010.01.20 Trojan.Hydraq
TrendMicro 9.120.0.1004 2010.01.20 TROJ_HYDRAQ.H
VirusBuster 5.0.21.0 2010.01.20 Backdoor.Mdmbot.B
File size: 8192 bytes
MD5 : 467eef090deb3517f05a48310fcfd4ee
SHA1 : 43d20c85e323b59e7971626a3c1fe1542ab945f7
SHA256: f0c78171b11b40f40e24dd9eaa8a3a381e1816ab8c3653aeb167e94803f90430
PEInfo: PE Structure information
entrypointaddress.: 0x1C37
timedatestamp.....: 0x4473474A (Tue May 23 19:32:58 2006)
machinetype.......: 0x14C (Intel I386)
http://www.virustotal.com/analisis/ce7debbcf1ca3a390083fe5753f231e632017ca041dfa662ad56095a500f2364-1264140003
Vediodriver.dll
http://www.virustotal.com/analisis/f0c78171b11b40f40e24dd9eaa8a3a381e1816ab8c3653aeb167e94803f90430-1264023110
f0c78171b11b40f40e24dd9eaa8a3a381 received on 2010.01.20 21:31:50 (UTC)
Result: 18/40 (45.00%)
a-squared 4.5.0.50 2010.01.20 RemoteAccess!IK
AntiVir 7.9.1.146 2010.01.20 APPL/Remote.RealVNC.95
AVG 9.0.0.730 2010.01.19 BackDoor.Agent.AFFU
ClamAV 0.94.1 2010.01.20 Trojan.Hydraq-3
Comodo 3650 2010.01.20 UnclassifiedMalware
eTrust-Vet 35.2.7249 2010.01.20 Win32/Aviror.A
Ikarus T3.1.1.80.0 2010.01.20 RemoteAccess
K7AntiVirus 7.10.951 2010.01.20 Trojan.Win32.Malware.1
McAfee 5867 2010.01.20 Roarur.dll
McAfee+Artemis 5867 2010.01.20 Roarur.dll
McAfee-GW-Edition 6.8.5 2010.01.20 Riskware.Remote.RealVNC.95
Microsoft 1.5302 2010.01.20 Backdoor:Win32/Mdmbot.C
Panda 10.0.2.2 2010.01.20 Trj/CI.A
PCTools 7.0.3.5 2010.01.19 Trojan.Hydraq
Sophos 4.50.0 2010.01.20 Mal/Spy-E
Symantec 20091.2.0.41 2010.01.20 Trojan.Hydraq
TrendMicro 9.120.0.1004 2010.01.20 TROJ_HYDRAQ.H
VirusBuster 5.0.21.0 2010.01.20 Backdoor.Mdmbot.B
File size: 8192 bytes
MD5 : 467eef090deb3517f05a48310fcfd4ee
SHA1 : 43d20c85e323b59e7971626a3c1fe1542ab945f7
SHA256: f0c78171b11b40f40e24dd9eaa8a3a381e1816ab8c3653aeb167e94803f90430
PEInfo: PE Structure information
entrypointaddress.: 0x1C37
timedatestamp.....: 0x4473474A (Tue May 23 19:32:58 2006)
machinetype.......: 0x14C (Intel I386)
http://www.virustotal.com/analisis/ce7debbcf1ca3a390083fe5753f231e632017ca041dfa662ad56095a500f2364-1264140003
File acelpvc.dll received on 2010.01.22 06:00:03 (UTC)
Result: 21/41 (51.22%)Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.01.22 Win32.SuspectCrc!IK
AhnLab-V3 5.0.0.2 2010.01.22 Win-Trojan/Mdmbot.136704
AntiVir 7.9.1.146 2010.01.21 APPL/Remote.RealVNC.94
BitDefender 7.2 2010.01.22 Trojan.Generic.2992679
ClamAV 0.94.1 2010.01.22 PUA.Packed.ASPack212
eTrust-Vet 35.2.7251 2010.01.21 Win32/Hydraq.A
F-Secure 9.0.15370.0 2010.01.22 Trojan.Generic.2992679
GData 19 2010.01.22 Trojan.Generic.2992679
Ikarus T3.1.1.80.0 2010.01.22 Win32.SuspectCrc
Kaspersky 7.0.0.125 2010.01.22 Trojan.Win32.Genome.eraf
McAfee 5868 2010.01.21 Roarur.dll
McAfee+Artemis 5868 2010.01.21 Roarur.dll
McAfee-GW-Edition 6.8.5 2010.01.21 Riskware.Remote.RealVNC.94
Microsoft 1.5302 2010.01.21 Backdoor:Win32/Mdmbot.C
Panda 10.0.2.2 2010.01.21 Suspicious file
PCTools 7.0.3.5 2010.01.22 Trojan.Hydraq
Sunbelt 3.2.1858.2 2010.01.22 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.01.22 Trojan.Hydraq
TrendMicro 9.120.0.1004 2010.01.22 TROJ_HYDRAQ.G
VirusBuster 5.0.21.0 2010.01.21 Backdoor.Mdmbot.A
Additional information
File size: 136704 bytes
MD5 : 4a47404fc21fff4a1bc492f9cd23139c
No comments:
Post a Comment