Trojan:WinNT/Omexo.A is a kernel-mode trojan driver that installs itself to run when certain Windows processes or services are accessed and hides specific processes. This malware may be installed by TrojanDownloader:Win32/Omexo.A.
This trojan component may be installed by other malware such as TrojanDropper:Win32/Omexo.A or TrojanDownloader:Win32/Omexo.A. This malware may be present as several randomly named files as in the following examples:
WinNT/Omexo.A injects code into the running process "explorer.exe" and "services.exe". The trojan component creates a pipe named "\\pipe\auxiliary_pipe_ox41545550" to allow communication with other injected processes including "services.exe". The trojan may hook the following Windows APIs:
The registry is modified to run the trojan component as a service. It may attach itself to the following devices as a filter driver:
In this way, the trojan component executes every time the computer accesses TCP/IP protocol, the hard drive or the keyboard.
Hides specified process
Trojan:WinNT/Omexo.A hooks a Windows API entry from the System Service Descriptor Table (SSDT) named "ZwQuerySystemInformation" to hide a process named "puta_awklJz".
Analysis by Tim Liu