Win32/Ixeshe [Threat Name] go to Threat

Win32/Ixeshe.T [Threat Variant Name]

Category trojan
Size 123904 B
Detection created Oct 30, 2014
Detection database version 10646
Aliases Variant.Zusy.2853 (BitDefender)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan creates the following folder:

  • %appdata%\­Flash\­

The following files are dropped into the %appdata%\Flash\ folder:

  • wmiprv.exe (23552 B

The file is then executed.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "Load" = "%appdata%\­Flash\­wmiprv.exe"

The trojan creates the following file:

  • %malwarefilename%.doc (35840 B)

The trojan opens the file using the default associated application.


After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • computer name
  • user name
  • computer IP address
  • proxy server settings
  • operating system version

The trojan can send the information to a remote machine.

Other information

The trojan serves as a backdoor. It can be controlled remotely.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.