VirTool:WinNT/Xiaoho

Installation

VirTool:WinNT/Xiaoho may have the file name "BundKilling.sys" in either the %Temp% or <system folder> folder.

Note:

• %Temp% refers to a variable location that is determined by the malware by querying the operating system. In Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user name>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp"
• <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and W8 it is "C:\Windows\System32"

VirTool:WinNT/Xiaoho is registered as a service so that it automatically runs every time Windows starts:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\PspKiller
Sets value: "ServiceName"
With data: "PspKiller"
Sets value: "DisplayName"
With data: "PspKiller"
Sets value: "BinaryPathName"
With data: "%Temp%\BundKilling.sys"

Payload

Stops target processes from running

VirTool:WinNT/Xiaoho stops target processes from running. This functionality is often used by other malware as part of their malicious activities. In the wild, this code has been found in the following malware:

• Backdoor:Win32/Hupigon.DZ
• VirTool:Win32/Obfuscator.EH

Analysis by Steven Zhou