Win32/Hikit [Threat Name] go to Threat

Win32/Hikit.E [Threat Variant Name]

Category trojan
Size 82432 B
Detection created Jul 24, 2014
Detection database version 10147
Aliases Backdoor:Win32/Hikiti.E (Microsoft)
  TR/Symmi.20726 (Avira)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.

Installation

The trojan does not create any copies of itself.


The trojan may create the following files:

  • %temp%\­https.sys (14848 B, Win32/Hikit.D)

The trojan may install the following system drivers (path, name):

  • %temp%\­https.sys, HTTPS
Information stealing

The trojan collects the following information:

  • CPU information
  • computer name
  • operating system version
  • memory status

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The TCP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • send requested files
  • send the list of files on a specific drive to a remote computer
  • send the list of disk devices and their type to a remote computer
  • create files
  • create folders
  • execute shell commands
  • set up a proxy server

The trojan opens a random TCP port. A proxy is listening there.


It uses techniques common for rootkits.


The trojan hides its running process. The trojan hides its presence in the system.


The trojan hooks the following Windows APIs:

  • ZwDeviceIoControlFile (ntdll.dll)
  • ZwEnumerateKey (ntdll.dll)
  • ZwEnumerateValueKey (ntdll.dll)
  • ZwQueryDirectoryFile (ntdll.dll)
  • ZwQuerySystemInformation (ntdll.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.