Trojan.Hydraq

The Trojan may arrive as an email attachment or it may be dropped or downloaded by another threat.

When executed, the threat creates one of the following files:

• %Temp%\c_1758.nls
• %Temp%\[RANDOM FILE NAME]

It then creates a service with the following characteristic:
Service name: RaS[FOUR RANDOM CHARACTERS]

The Trojan creates the following registry subkey in order to register the above service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[FOUR RANDOM CHARACTERS]

Next, the Trojan modifies the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\"netsvcs" = "36 00 74 00 6F 00 34 00 00 00 41 00 75 00 64 00 69 00 6F 00 53 00 72 00 76 00 00 00 42 00 72 00 6F 00 77 00 73 00 65 00 72 00 00 00 43 00 72 00 79 00 70 00 74 00 53 00 76 00 63 00 00 00 44 00 4D 00 53 00 65 00 72 00 76 00 65 00 72 00 00 00 44 00 48 00 43 00 50 00 00 00 45 00 52 00 53 00 76 00 63 00 00 00 45 00 76 00 65 00 6E 00 74 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 46 00 61 00 73 00 74 00 55 00 73 00 65 00 72 00 53 00 77 00 69 00 74 00 63 00 68 00 69 00 6E 00 67 00 43 00 6F 00 6D 00 70 00 61 00 74 00 69 00 62 00 69 00 6C 00 69 00 74 00 79 00 00 00 48 00 69 00 64 00 53 00 65 00 72 00 76 00 00 00 49 00 61 00 73 00 00 00 49 00 70 00 72 00 69 00 70 00 00 00 49 00 72 00 6D 00 6F 00 6E 00 00 00 4C 00 61 00 6E 00 6D 00 61 00 6E 00 53 00 65 00 72 00 76 00 65 00 72 00 00 00 4C 00 61 00 6E 00 6D 00 61 00 6E 00 57 00 6F 00 72 00 6B 00 73 00 74 00 61 00 74 00 69 00 6F 00 6E 00 00 00 4D 00 65 00 73 00 73 00 65 00 6E 00 67 00 65 00 72 00 00 00 4E 00 65 00 74 00 6D 00 61 00 6E 00 00 00 4E 00 6C 00 61 00 00 00 4E 00 74 00 6D 00 73 00 73 00 76 00 63 00 00 00 4E 00 57 00 43 00 57 00 6F 00 72 00 6B 00 73 00 74 00 61 00 74 00 69 00 6F 00 6E 00 00 00 4E 00 77 00 73 00 61 00 70 00 61 00 67 00 65 00 6E 00 74 00 00 00 52 00 61 00 53 00 42 00 7A 00 6B 00 46 00 00 00 52 00 61 00 73 00 61 00 75 00 74 00 6F 00 00 00 52 00 61 00 73 00 6D 00 61 00 6E 00 00 00 52 00 65 00 6D 00 6F 00 74 00 65 00 61 00 63 00 63 00 65 00 73 00 73 00 00 00 53 00 63 00 68 00 65 00 64 00 75 00 6C 00 65 00 00 00 53 00 65 00 63 00 6C 00 6F 00 67 00 6F 00 6E 00 00 00 53 00 45 00 4E 00 53 00 00 00 53 00 68 00 61 00 72 00 65 00 64 00 61 00 63 00 63 00 65 00 73 00 73 00 00 00 53 00 52 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 00 00 54 00 61 00 70 00 69 00 73 00 72 00 76 00 00 00 54 00 68 00 65 00 6D 00 65 00 73 00 00 00 54 00 72 00 6B 00 57 00 6B 00 73 00 00 00 57 00 33 00 32 00 54 00 69 00 6D 00 65 00 00 00 57 00 5A 00 43 00 53 00 56 00 43 00 00 00 57 00 6D 00 69 00 00 00 57 00 6D 00 64 00 6D 00 50 00 6D 00 53 00 70 00 00 00 77 00 69 00 6E 00 6D 00 67 00 6D 00 74 00 00 00 77 00 73 00 63 00 73 00 76 00 63 00 00 00 78 00 6D 00 6C 00 70 00 72 00 6F 00 76 00 00 00 42 00 49 00 54 00 53 00 00 00 77 00 75 00 61 00 75 00 73 00 65 00 72 00 76 00 00 00 53 00 68 00 65 00 6C 00 6C 00 48 00 57 00 44 00 65 00 74 00 65 00 63 00 74 00 69 00 6F 00 6E 00 00 00 68 00 65 00 6C 00 70 00 73 00 76 00 63 00 00 00 57 00 6D 00 64 00 6D 00 50 00 6D 00 53 00 4E 00 00 00"

The Trojan then opens a back door that allows a remote attacker to perform the following actions on the compromised computer:

• Adjust token privileges.
• Check status of, control, and end processes and services.
• Download a remote file, save it as %Temp%\mdm.exe, and then execute it.
• Create, modify, and delete registry subkeys.
• Retrieve a list of logical drives.
• Read, write, execute, copy, change attributes, and delete files.
• Shut down and restart the computer.
• Uninstall itself by deleting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[FOUR RANDOM CHARACTERS] subkey.
• Clear all system event logs.
• Check if %System%\acelpvc.dll is present. If so, load it and call its EntryMain() export.
• Check if %System%\VedioDriver.dll is present.
• Open, read, and delete the %System%\drivers\etc\networks.ics file.
• Retrieve the CPU speed by checking the HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\"~MHz" registry value.

It then connects to one of the following domains on port 443 and sends any information gathered:

• yahooo.8866.org
• sl1.homelinux.org
• 360.homeunix.com

The Trojan then redirects the computer to one of the following domains:

• li107-40.members.linode.com
• ftp2.homeunix.com
• update.ourhobby.com

The Trojan also stores configuration information in the following registry entries:

• HKEY_LOCAL_MACHINE\Software\Sun\1.1.2\"IsoTp"
• HKEY_LOCAL_MACHINE\Software\Sun\1.1.2\"AppleTlk"