1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Didytak Activity

System Infected: Trojan.Didytak Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Didytak CnC activity. It is recommended that you update your virus definitions and run a full system scan as a precautionary measure.

Additional Information

The Trojan may arrive on the compromised computer through phishing emails.

Once executed, the Trojan creates the following files:
%Windir%\i\mt101.exe
%Windir%\i\levo.docx
%Temp%\146E7.dmp
%Temp%\475e_appcompat.txt
%ProgramFiles%\Messenger\pluse.dll

The Trojan then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"thosts" = "%Windir%\i\mt101.exe"

The Trojan may then perform the following actions:
Log keystrokes
Take screenshots
Steal credentials

The Trojan sends the stolen information to one or more of the following remote locations:
flushupdate.com
pstcmedia.com
mixedwork.com
ineltdriver.com

Affected

  • Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube