Home / malwarePDF  

Trojan:Win32/Hideproc.G


First posted on 02 November 2011.
Source: SecurityHome

Aliases :

Trojan:Win32/Hideproc.G is also known as Win-Trojan/Agent.85504.HN (AhnLab), W32/Duqu.A (Command), Trojan.Win32.Inject.bjyg (Kaspersky), W32/Duqu.A (Norman), Trojan.Agent.RD (VirusBuster), Trojan.Duqu.B (BitDefender), Trojan.PWS.Duqu.1 (Dr.Web), Win32/Duqu.A trojan (ESET), Trojan.Win32.Inject (Ikarus), PWS-Duqu.dr (McAfee), Troj/Bdoor-BDA (Sophos), Infostealer (Symantec), TROJ_SHADOW.AF (Trend Micro).

Explanation :

Trojan:Win32/Hideproc.G is a trojan that steals information about the computer it is currently installed in. Information it steals includes keystrokes, desktop screenshots, user credentials, and currently running processes.


Top

Trojan:Win32/Hideproc.G is a trojan that steals information about the computer it is currently installed in. Information it steals includes keystrokes, desktop screenshots, user credentials, and currently running processes.



Installation

Trojan:Win32/Hideproc.G may be executed in the following format:

<malware>.exe xxx /<parameters>

where <parameters> include the following:

  • delme - deletes file
  • v - maps components to target processes during installation
  • quit - terminates the file process
  • restart - restarts the file process


Trojan:Win32/Hideproc.G contains an embedded JPG file, which contains two encrypted component files: a DLL component that steals information, and an EXE component that injects the DLL code into certain processes.



Payload

Steals information

Trojan:Win32/Hideproc.G creates duplicate instances of any of the following processes, and injects its information-stealing DLL component into these processes:

  • lsass.exe
  • winlogon.exe
  • svchost.exe


It collects the following information, which it then saves into a file named "%Temp%\~DC<random characters>.tmp" (for example, "~DQC8.tmp":

  • Network resources (such as share drives, network connections, IPv4 routing table)
  • User network credentials
  • Drive information
  • Desktop/window screenshots
  • Currently running processes and active services
  • Computers connected to the domain
  • TCP/UDP port connections
  • User keystrokes (using a keylogging routine)


It also checks for the presence of the following security processes in the computer; if found, it gathers the version of these programs:

  • avp.exe
  • McShield.exe
  • avguard.exe
  • bdagent.exe
  • UmxCfg.exe
  • fsdfwd.exe
  • rtvscan.exe
  • ccSvcHst.exe
  • ekrn.exe
  • tmproxy.exe
  • RavmonD.exe




Analysis by Shawn Wang and Zarestel Ferrer

Last update 02 November 2011

 

TOP

Malware :

Family: