MSIL/Tixiker [Threat Name] go to Threat
MSIL/Tixiker.A [Threat Variant Name]
| Category | trojan |
| Size | 783360 B |
| Aliases | Trojan-Dropper.Win32.Sysn.bhtn (Kaspersky) |
| Trojan.Fakealert.38174 (Dr.Web) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan creates the following files:
- %temp%\hghgxcvgfhgbhfghh.exe (32768 B, MSIL/Bladabindi.BV)
- %temp%\vbvbhyfxvxdfgfggggg.exe (637440 B, Win32/HackTool.Patcher.A)
The trojan creates copies of the following files (source, destination):
- %temp%\hghgxcvgfhgbhfghh.exe, %appdata%\Microsoft\basicserv.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Windows@Basic" = "%appdata%\Microsoft\basicserv.exe"
Information stealing
The trojan collects the following information:
- volume serial number
- computer name
- user name
- operating system version
- information about the operating system and system settings
- installed antivirus software
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The TCP protocol is used.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- uninstall itself
- upload files to a remote computer
- various file system operations
- capture screenshots
- simulate mouse activity
The trojan may attempt to download files from the Internet.
The files are stored in the following locations:
- %startup%\Windows Update.exe
- %temp%\%variable%.exe
The files are then executed.
A string with variable content is used instead of %variable% .