Win32/Agent.YSM [Threat Name] go to Threat
Win32/Agent.YSM [Threat Variant Name]
| Category | trojan |
| Size | 282624 B |
| Detection created | Mar 13, 2017 |
| Detection database version | 15080 |
| Aliases | Backdoor.Win32.Androm.muuk (Kaspersky) |
Short description
The trojan serves as a proxy server. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %localappdata%\teamviever_tr.exe
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
- "IME" = "%localappdata%\teamviever_tr.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- "IME" = "%localappdata%\teamviever_tr.exe -local 1234"
The trojan can terminate the following processes:
- iexplore.exe
The trojan launches the following processes:
- %programfiles%\Internet Explorer\iexplore.exe www.google.com
The trojan creates and runs a new thread with its own code within these running processes.
The trojan may create the following files:
- %currentfolder%\test
- %temp%\Signal3317.dat
- %temp%\ava.dat
After the installation is complete, the trojan deletes the original executable file.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (4) URLs. The HTTP, TCP protocol is used.
The trojan serves as a proxy server.
The trojan keeps various information in the following Registry key:
- [HKEY_CURRENT_USER\Software\BCDSoft\State]
The trojan keeps various information in the following files:
- %temp%\log.ewb
- %temp%\log.ewbt
- %temp%\log.bin
- %temp%\policies.dat
- %localappdata%\1