Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Lnkhyd.AA

Aliases:Trojan:Win32/Lnkhyd.A (Microsoft), Downloader-CCO trojan (McAfee), Adware.StartPage (Symantec) 
Type of infiltration:Trojan  
Size:84480 B 
Affected platforms:Microsoft Windows 
Signature database version:4732 (20091231) 

Short description

Win32/Lnkhyd.AA is a trojan which tries to propagate certain web sites.

Installation

The trojan does not create any copies of itself.

The following Registry entries are created:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    ExplorerHideDesktopIconsNewStartPanel]
    "{871C5380-42A0-1069-A2EA-08002B30309D}" = 1
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    ExplorerHideDesktopIconsClassicStartMenu]
    "{871C5380-42A0-1069-A2EA-08002B30309D}" = 1

Other information

The following files are modified:
  • %commondesktop%*.lnk
  • %desktop%*.lnk
  • %quicklaunch%*.lnk
  • %commonprograms%*.lnk
The trojan inserts a/an element with an URL link into the file.

The trojan changes the file content of those files that contain any of the following string within their body:
  • 360SE.exe
  • iexplore.exe
  • Maxthon.exe
  • SogouExplorer.exe
  • TTraveler.exe
The trojan launches the following processes:
  • iexplore.exe
The user may be redirected to one of the following Internet web sites:
  • http://www.90965.com/#3
The following programs are terminated:
  • iexploer.exe
The following files are deleted:
  • %programfiles%Internet Exploreriexploer.exe
  • %system%pomhic.lih
  • %system%windows.hil
The trojan may create the following files:
  • %quicklaunch%%string1% Internet Explorer %string2%.lnk
The strings written in Chinese language are used instead of %string1-2%.

The trojan may delete the following files:
  • %programfiles%Internet Explorer*.vbs
The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used.

The trojan keeps various information in the following Registry key:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Explorer]
    "UserData" = "%variable%"
A string with variable content is used instead of %variable%.