Trojan:WinNT/Mediyes.B

Trojan:WinNT/Mediyes.B is a rootkit driver that is installed by the Mediyes malware family, a multi-component trojan that steals account information for online payment systems.

Installation

Trojan:WinNT/Mediyes.B may be installed by other malware, such as TrojanDropper:Win32/Mediyes.C, and registered as a system service.

Trojan:WinNT/Mediyes.B has a file name with the following format:

<system folder>\drivers\hid<random characters>.sys

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

For example:

• <system folder>\drivers\hidiun4f.sys
• <system folder>\drivers\hidwutp3.sys
• <system folder>\drivers\hiddvy3v.sys
• <system folder>\drivers\hid2alpz.sys

It may create the following registry key as part of its service installation:

HKLM\SYSTEM\CurrentControlSet\Services\hid<random characters>

For example:

HKLM\SYSTEM\CurrentControlSet\Services\hidiun4f
HKLM\SYSTEM\CurrentControlSet\Services\hiddvy3
HKLM\SYSTEM\CurrentControlSet\Services\hid2alp
HKLM\SYSTEM\CurrentControlSet\Services\hidiun4f
HKLM\SYSTEM\CurrentControlSet\Services\hidwutp

Payload

Hides processes

Trojan:WinNT/Mediyes.B is a rootkit component that is able to perform the following actions:

• Hide itself
• Hide processes and registry keys
• Inject code into running processes

Analysis by Mihai Calota