Hesive.b

Posted: March 28, 2006

Hesive.b is a backdoor that provides the attacker with unauthorized remote access to the compromised PC. It allows the intruder to download, upload and run arbitrary files, execute computer commands, terminate running processes, modify computer configuration through the registry, get computer and network information. Hesive.b inject malicious code into legitimate computer processes. It also uses a rootkit to hide all its files and registry entries. The backdoor runs as a service on every Windows startup.

File System Modifications

The following files were created in the system:

# File Name

1 hms.exe

2 zykheptd.dll

3 zykheptd.sys

#	File Name
1	hms.exe
2	zykheptd.dll
3	zykheptd.sys

Registry Modifications

The following newly produced Registry Values are:
HKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun(default)=rundll32.exe[filename]HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_ZYKHEPTDHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesykheptdHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesdmserverParametersServiceDLL=%System%zykheptd.dlldo98work

Hesive.b

File System Modifications

Registry Modifications

Leave a Reply