Description
This trojan is a rootkit written for NT-based Windows Operating Systems. The rootkit is used to hide files and processes on the affected machine.
When executed the trojan silently copies itself with the same filename as the original executable to the %System% directory, and then deletes the original executable. This filename is variable.
Note: '%System%' is a variable location. The trojan determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
It also drops a .DLL component (which may be detected as Win32/Aluroot.A.DLL.Trojan by CA antivirus solutions). The file name of the .DLL file may vary, however, it always starts with the letters "HD" appended by a few random characters. For example: HDKJ.DLL, HDAH.DLL. The size of the .DLL is static at 12,169 bytes.
The trojan sets the following registry value in order to run itself again on next reboot:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<trojan filename.exe> = "<trojan filename.exe>"
where the string "<trojan filename.exe>" is the variable filename used by the trojan.
The trojan creates the following registry entry in order to store data:
HKLM\Software\Microsoft\Windows\CurrentVersion\Hd
The trojan also hides its process, and any files or registry entries it has created from view. An affected user will not be able to veiw these trojan system modifications using the regular utilities, such as Regedit, or Windows Explorer.
Note:The files and registry entries will be visible if Windows is run in Safe Mode since the trojan is unable to run in this configuration.
Analysis by Vitaly Neyman