Remove Trojan.Hydraq
Posted on: January 18th, 2010
| Discovered: | January 11, 2010 |
| Updated: | January 11, 2010 2:59:20 PM |
| Type: | Trojan |
| Systems Affected: | Windows 2000, Windows Server 2003, Windows Vista, Windows XP |
| Recommended Action: | |
 In order to Remove Trojan.Hydraq you need to Download the ‘No Adware’ remover software. Based on our testing this was the best peforming remover of Trojan.Hydraq.. Read our full No Adware Review |
|
| Technical Details: |
| This Trojan may arrive in an email or it may be dropped or downloaded by
another threat. When executed, the threat creates one of the following files: %Temp%\c_1758.nls %Temp%\[RANDOM FILE NAME] It then creates a service with the following characteristic: Service name: RaS[FOUR RANDOM CHARACTERS] The Trojan creates the following registry subkey in order to register the above service: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ RaS[FOUR RANDOM CHARACTERS] Next, the Trojan modifies the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\”netsvcs” = “36 00 74 00 6F 00 34 00 00 The Trojan then opens a back door and allow a remote attacker to perform the following actions on the compromised computer: * Adjust token privileges. * Check status, control, and end processes and services * Download a remote file, save it as %Temp%\mdm.exe, and then execute it. * Create, modify, and delete registry subkeys. * Retrieve a list of logical drives. * Read, write, execute, copy, change attributes, and delete files. * Reboot and shut down the computer. * Uninstall itself by deleting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ra S[FOUR RANDOM CHARACTERS] subkey. * clear all system event logs. * Check if %System%\acelpvc.dll is present. If so, load it and call its Entry Main() export. * Check if %System%\VedioDriver.dll is present. * Open, read, and delete the %System%\drivers\etc\networks.ics file. * Retrieve the CPU speed by checking the HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\ CentralProcessor\0\”~MHz” registry value. It then connects to one of the following domains using port 443 and sends any information gathered: * yahooo.8866.org * sl1.homelinux.org * 360.homeunix.com The Trojan then redirects the computer to the following domain: * li107-40.members.linode.com * ftp2.homeunix.com * update.ourhobby.com The Trojan also stores configuration information in the following registry entries: * HKEY_LOCAL_MACHINE\Software\Sun\1.1.2\”IsoTp” * HKEY_LOCAL_MACHINE\Software\Sun\1.1.2\”AppleTlk” |
| Action Steps: |
| FREE SCAN: NoAdware can Remove Trojan.Hydraq. Click the link below for your free download & scan your PC now.
Please click here for manual removal instructions. |
