Home / malware Trojan.Didytak.B
First posted on 20 February 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Didytak.B.
Explanation :
The Trojan is downloaded onto the compromised computer by the following malware:
Trojan.Didytak
Once executed, the Trojan creates the following files:
%Temp%\mci[RANDOM DIGITS].tmp[PATH TO MALWARE]\ICSharpCode.SharpZipLib.dll[PATH TO MALWARE]\SystemService.exe[PATH TO MALWARE]\Temp/laston.on[PATH TO MALWARE]\rec.exe[PATH TO MALWARE]\set.info[PATH TO MALWARE]\updater.exe
The Trojan also creates the following folders:
[PATH TO MALWARE]\Temp/Sounds[PATH TO MALWARE]\Temp/xCryptoTmp
Next, the Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"ATIDriver" = "[PATH TO MALWARE]\updater.exe"
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Take screenshotsDownload, upload, and execute filesEnd processesCompress a specified pathDelete a specified pathCreate folders Copy, move, and rename files
The Trojan may also gather the following information from the compromised computer:
Operating system versionDomain nameUser nameHost nameCountry the computer is located inGlobal IP addressLocal IP addressList of running processes, including process IDsList of files and files sizes from a specified folderList of available drives
The Trojan then connects to the following remote location to receive commands and upload stolen information:
linksis.infoLast update 20 February 2015
