Win32/Hyndeks [Threat Name] go to Threat

Win32/Hyndeks.AA [Threat Variant Name]

Category trojan
Size 122880 B
Detection created Sep 16, 2014
Detection database version 10426
Aliases TR/Crypt.Xpack.79176 (Avira)
Short description

Win32/Hyndeks.AA is a trojan which tries to download other malware from the Internet. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%malwarefilename%_14_11_24111.exe
  • %currentfolder%\­%malwarefilename%.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "ib14_11_24111" = "%appdata%\­%malwarefilename%_14_11_24111.exe"

The following files may be dropped:

  • %currentfolder%\­debug.log

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­InstallBoom]
    • "data_14_11_24111_%id%" = %config%
    • "InternalInfo" = %config%
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­xTremeMediaUniversalInstaller]
    • "UninstallString" = "%malwarefilepath% /uninstall"
    • "DisplayName" = "Универсальный Установщик Программ"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = "%newhomepage%"
Information stealing

The trojan collects the following information:

  • operating system version
  • locale
  • web browser version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • change the home page of web browser
  • uninstall itself

The trojan quits immediately if any of the following applications is detected:

  • VirtualBox
  • Parallels
  • Microsoft Hyper-V/Windows Virtual PC
  • Xen HVM
  • KVM
  • VMWare Workstation
  • Wine

The trojan may create the following files:

  • %temp%\­%variable%.exe

A string with variable content is used instead of %variable% .


The trojan changes the home page of the following web browsers:

  • Mozilla Firefox
  • Yandex Browser
  • Google Chrome
  • Chromium
  • Opera
  • Microsoft Internet Explorer

Please enable Javascript to ensure correct displaying of this content and refresh this page.