Follow:

 

Trojan:WinNT/Omexo.A


Trojan:WinNT/Omexo.A is a kernel-mode trojan driver that installs itself to run when certain Windows processes or services are accessed and hides specific processes. This malware may be installed by TrojanDownloader:Win32/Omexo.A.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

Trojan:WinNT/Omexo.A is a kernel-mode trojan driver that installs itself to run when certain Windows processes or services are accessed and hides specific processes. This malware may be installed by TrojanDownloader:Win32/Omexo.A.
Installation
This trojan component may be installed by other malware such as TrojanDropper:Win32/Omexo.A or TrojanDownloader:Win32/Omexo.A. This malware may be present as several randomly named files as in the following examples:
 
<system folder>\drivers\zfuwun.sys
<system folder>\drivers\eitvki86th.sys
<system folder>\drivers\57vlbxv.sys
<system folder>\drivers\fsihned.sys
<system folder>\drivers\hs3pa8imdw.sys
<system folder>\drivers\mith77.sys
<system folder>\drivers\boiica.sys
<system folder>\drivers\yv9ty04.sys
<system folder>\drivers\tn4frk.sys
<system folder>\drivers\dxabsqk.sys
 
WinNT/Omexo.A injects code into the running process "explorer.exe" and "services.exe". The trojan component creates a pipe named "\\pipe\auxiliary_pipe_ox41545550" to allow communication with other injected processes including "services.exe". The trojan may hook the following Windows APIs:

KiFastSystemCallRet
KiUserCallbackDispatcher
ZwReadFile
 
The registry is modified to run the trojan component as a service. It may attach itself to the following devices as a filter driver:

\Driver\Tcpip
\Driver\Disk
\Driver\PartMgr
\Driver\kbdclass

In this way, the trojan component executes every time the computer accesses TCP/IP protocol, the hard drive or the keyboard.
Payload
Hides specified process
Trojan:WinNT/Omexo.A hooks a Windows API entry from the System Service Descriptor Table (SSDT) named "ZwQuerySystemInformation" to hide a process named "puta_awklJz".
 
Analysis by Tim Liu

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of numerous files in the "drivers" subdirectory as in the following examples:
    <system folder>\drivers\zfuwun.sys
    <system folder>\drivers\eitvki86th.sys
    <system folder>\drivers\57vlbxv.sys
    <system folder>\drivers\fsihned.sys
    <system folder>\drivers\hs3pa8imdw.sys
    <system folder>\drivers\mith77.sys
    <system folder>\drivers\boiica.sys
    <system folder>\drivers\yv9ty04.sys
    <system folder>\drivers\tn4frk.sys
    <system folder>\drivers\dxabsqk.sys
  • Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.61.1709.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Jul 16, 2009
This entry was first published on: Nov 05, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win32/Agent.PUK (ESET)
  • Trojan-Dropper.Win32.Agent.awen (Kaspersky)
  • Trojan.DR.Agent.NLMH (VirusBuster)