A multi-partite bootkit written in C language. The bootkit can hide itself in the infected system. It includes 8 components among which are 3 drivers.
It features the following functions to identify debugging: when launching, checks if it is run on a virtual computer and searches for a debugging process among other processes in the operating system. The bootkit also scans infected system for applications used for billing in Chinese cyber cafes.
Components:
- Installer
- cp.exe file;
- NtHook.sys driver;
- beep.sys driver;
- StartDriver driver;
- safemon.dll library;
- MBR;
- Shellcode injected into MBR.
Malicious functions:
- Replaces the home page of popular Web browsers with the page created by criminals;
- Redirects http traffic;
- Loads and executes different files;
- Saves its shortcuts to Windows Quick Launch Toolbar, favorites, and desktop;
- Opens a Web page created by criminals in Microsoft Internet Explorer according to schedule;
- Blocks access to certain Web sites from the list;
- Blocks launch of certain applications from the list;
- Hides files stored on the hard drive;
- Infects MBR.
Supports the following Web browsers and applications:
- SERVICES.EXE
- EXPLORER.EXE
- IEXPLORE.EXE
- QQBROWSER.EXE
- SOGOUEXPLORER.EXE
- 360SE.EXE
- GREENBROWSER.EXE
- FIREFOX.EXE
- MAXTHON.EXE
- THEWORLD.EXE
- OPERA.EXE
- CHROME.EXE
- SAFARI.EXE
- NAVIGATOR.EXE
- TTRAVELER.EXE
- 115BR.EXE
- CORAL.EXE
The control server is in China. With its rich functionality, Trojan.Xytets can hide itself in the system and, therefore, can be classified as a rootkit.