MSIL/Tixiker [Threat Name] go to Threat

MSIL/Tixiker.A [Threat Variant Name]

Category trojan
Size 783360 B
Aliases Trojan-Dropper.Win32.Sysn.bhtn (Kaspersky)
  Trojan.Fakealert.38174 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan creates the following files:

  • %temp%\­hghgxcvgfhgbhfghh.exe (32768 B, MSIL/Bladabindi.BV)
  • %temp%\­vbvbhyfxvxdfgfggggg.exe (637440 B, Win32/HackTool.Patcher.A)

The trojan creates copies of the following files (source, destination):

  • %temp%\­hghgxcvgfhgbhfghh.exe, %appdata%\­Microsoft\­basicserv.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows@Basic" = "%appdata%\­Microsoft\­basicserv.exe"
Information stealing

The trojan collects the following information:

  • volume serial number
  • computer name
  • user name
  • operating system version
  • information about the operating system and system settings
  • installed antivirus software

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The TCP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • upload files to a remote computer
  • various file system operations
  • capture screenshots
  • simulate mouse activity

The trojan may attempt to download files from the Internet.


The files are stored in the following locations:

  • %startup%\­Windows Update.exe
  • %temp%\­%variable%.exe

The files are then executed.


A string with variable content is used instead of %variable% .


Please enable Javascript to ensure correct displaying of this content and refresh this page.