One of the components of the Trojan is based on VNC code and has the ability to allow an attacker to control and stream a live video feed of a compromised computer’s desktop to a remote computer in real-time.
Once Trojan.Hydraq is installed by means of an exploit, it downloads additional files from a remote location to aid with the attack. Two of the additional files downloaded are named VedioDriver.dll and Acelpvc.dll. These files are placed into the %System% folder on the exploited computer. Analysis of the files and communication protocol suggests that they were specifically written for use with Hydraq using modified VNC code.
In conjunction with Hydraq, these files allow a remote attacker to control and stream a live video feed from an exploited computer. When looking at the information stored in the files, one thing stands out. The file creation information states that the files were created back in 2006.
Other components of Hydraq have creation dates in 2009. This leads to the possibility that the Hydraq samples that we are seeing today may have been in development or evolved over time. However, another possibility is that the time and date were set wrong on the computer that was used when the source files were compiled.