T9000
Posted: February 10, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 8/10 |
---|---|
Infected PCs: | 5 |
First Seen: | February 10, 2016 |
---|---|
OS(es) Affected: | Windows |
T9000 is a spyware program that uses e-mail messages as its primary means of deployment. Although T9000's current campaigns are targeting US-based entities, T9000 includes a generous range of anti-security features, and information-collecting attacks backed up by modularity, making its potential victim list highly flexible. Because this threat uses multiple methods of hiding its identity from both any PC users and some popular brands of PC security products, habitually updating your anti-malware software is a critical step in identifying or removing T9000.
All the Intel on the Latest Intel-Gathering Trojan
T9000 is a modern update to a backdoor Trojan-spyware combination last seen in 2014 under the name of T5000 (or Plat1), during campaigns against automotive companies and email users interested in the Malaysian flight MH370. Its developers have supplemented previous attack capabilities with modern anti-security features intended for stopping any attempted identification or analysis of this threat. However, enough information is available to make the majority of T9000's features, as well as those shown in its active modules, clear.
The installer for T9000 uses e-mail distribution methods, concealing its Trojan dropper in the form of a file attachment such as an RTF text document. After going through a multiple-stage procedure for evading various security apps, T9000 is installed to an AppData\Intel folder, including with it various baseline backdoor features. By itself, T9000 may harvest system information, run system commands, initiate downloads or uploads, delete files, and generate or terminate processes. Malware experts also can confirm the presence of other commands with unknown functions.
Besides all of these backdoor features, T9000 also includes support for spyware modules, such as:
- Tyeu.dat captures screenshots of both the users' desktop and applications, such as their text editor. Other features also let Tyeu.dat record Skype's conversations, including audio, video and text data.
- Vnk.dat creates copies of files stored on any removable devices (USB drives, for example), emphasizing file types such as spreadsheets and documents.
- Qhnj.dat hooks itself into various Windows function calls. It can monitor used Unicode characters, as well as any file and program changes on a system-wide level.
Unplugging Skype from a Spy's Explorations
T9000's author has put significant effort into stopping various PC security companies from analyzing samples of this threat, which includes multiple checks against AV solutions, features for identifying brands like Norton or Sophos, and different installation routines under various circumstances. In turn, keeping your security software equipped with the latest in databases updates is necessary for identifying T9000 as soon as possible.
Although spyware programs rarely show any intentional symptoms of their presence, not all of T9000's modules have designs with the same attention to stealth. Tyeu.dat may create Skype usage requests through the Windows 'explorer.exe' file whenever that chat application launches, which can be a very visible sign of the presence of this threat. Paying attention to the contents of your AppData folder and Registry also can help you identify some components of T9000 or its modules.
News headlines for T9000 have focused on its Skype-monitoring capabilities. However, T9000 is sufficiently flexible and broad in its feature scope to include other attacks and forms of harm against NGOs, governments, businesses, and personal PC owners alike. As shown in past campaigns with the T5000, the costs of not monitoring your e-mail behavior and keeping updated anti-malware protection can be quite high.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:file.exe
File name: file.exeSize: 42.49 KB (42497 bytes)
MD5: b9c584c7c34d14599de8cd3b72f2074b
Detection count: 92
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: February 29, 2016
file.exe
File name: file.exeSize: 80.41 KB (80417 bytes)
MD5: a9de62186cb8d0e23b0dc75e1ae373ac
Detection count: 81
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: February 29, 2016
file.exe
File name: file.exeSize: 76.9 KB (76907 bytes)
MD5: d3601a5160b8d122261989d147221eb7
Detection count: 64
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: February 29, 2016
file.dll
File name: file.dllSize: 66.04 KB (66048 bytes)
MD5: 2299fb8268f47294eb2b18282540a955
Detection count: 41
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: February 29, 2016
file.dll
File name: file.dllSize: 8.19 KB (8192 bytes)
MD5: 1d335f6a58cb9fab503a9b9cb371f57b
Detection count: 24
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: February 29, 2016
file.dat
File name: file.datSize: 51.35 KB (51352 bytes)
MD5: 35f4ce864c3a3dc016fea3459d6402a9
Detection count: 10
File type: Data file
Mime Type: unknown/dat
Group: Malware file
Last Updated: February 29, 2016
file.exe
File name: file.exeSize: 589.31 KB (589312 bytes)
MD5: d8d70851641efbdfce8d561e6b1a2f29
Detection count: 1
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: February 29, 2016
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.