HOME > VIRUS ALERTS


VIRUS ALERTS

Trojan Hydraq

Original issue date: January 18, 2010

It has been reported that a backdoor Trojan Hydraq is spreading in the wild. It comes to the system as malicious document attached to an email or through a spoofed email message with a link to a malicious website and getting down loaded.

Trojan Hydraq is a DLL that runs as a service within the context of the system process svchost.exe and executed on every system startup.

Once installed it opens a backdoor and communicate to an IRC command and control server , can download and installs additional malware in the compromised system.

It is reported that one of the attack vectors for the propagation has been the recently released zero day vulnerability (CIVN-2010-03) in Microsoft Internet Explorer with a patch in due.

Aliases:

TROJ_HYDRAQ.A [Trend], Win32/Enuairs.A( eTrust-Vet), Backdoor:Win32/Mdmbot.B (Microsoft), Trojan.Hydraq (PCTools) , CC.Agent.BA(Ikarus)

Up on execution the worm:

  • Creates the files
    • %Temp%\c_1758.nls
    • %Temp%\[RANDOM FILE NAME]

  • creates a service with the following characteristic:
    Service Name: RaS[FOUR RANDOM CHARACTERS]

  • Create the following registry entries
    • HKEY_LOCAL_MACHINE\Software\Sun\1.1.2\
      "IsoTp"
    • HKEY_LOCAL_MACHINE\Software\Sun\1.1.2\
      "AppleTlk (these entries to hide configuration
      files)
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\RaS[FOUR RANDOM CHARACTERS](to register the service created)

  • It is also capable of doing the following:
    • query value in a certain registry, list drives, clear
      event logs, terminate processes, terminate/delete
      services, list services, execute other files
      execute mdm.exe using %System%\cmd.exe,
      send and receive data from a remote site

  • Redirect the computer to the following sites
    • li107-40.[REMOVED] .com
    • ftp[REMOVED]x .com
    • updat[REMOVED]y .com

  • Connection requests to the following sites to the port 443
    • yahooo.8[removed].org
    • sl1.ho[removed]x.org
    • 360.hom[removed]x.com

In view of rapid propagation of the Trojan Hydraq , users are advised to implement the following countermeasures:

  • Search for the malicious files ,registry entries created worm and delete the same
  • Install and maintain an updated anti-virus software at gateway and desktop level
  • Use "Noscript", a Firefox extension which allows only javascript, java ,flash and other plugins to be executed only by trusted websites of users choice.(for firefox users)
  • Use caution when opening attachments and accepting file transfers
  • Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities
  • Install and maintain Firewall at Desktop level
  • Block the IRC service and related ports ,if not required
  • Use caution when clicking on links to Web pages

References

http://www.symantec.com/business/security_response/writeup.jsp? docid=2010-011114-1830-99&tabid=2
http://en.securitylab.ru/viruses/389616.php
http://blog.threatexpert.com/2010/01/trojanhydraq-exposed.html
http://blog.threatexpert.com/2010/01/trojanhydraq-part-ii.html
http://www.cert-in.org.in/vulnerability/civn-2010-03.htm

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003