Win32/Agent.YSM [Threat Name] go to Threat

Win32/Agent.YSM [Threat Variant Name]

Category trojan
Size 282624 B
Detection created Mar 13, 2017
Signature database version 15080
Aliases Backdoor.Win32.Androm.muuk (Kaspersky)
Short description

The trojan serves as a proxy server. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %localappdata%\­teamviever_tr.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­policies\­Explorer\­Run]
    • "IME" = "%localappdata%\­teamviever_tr.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "IME" = "%localappdata%\­teamviever_tr.exe -local 1234"

The trojan can terminate the following processes:

  • iexplore.exe

The trojan launches the following processes:

  • %programfiles%\­Internet Explorer\­iexplore.exe www.google.com

The trojan creates and runs a new thread with its own code within these running processes.


The trojan may create the following files:

  • %currentfolder%\­test
  • %temp%\­Signal3317.dat
  • %temp%\­ava.dat

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (4) URLs. The HTTP, TCP protocol is used.


The trojan serves as a proxy server.


The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­BCDSoft\­State]

The trojan keeps various information in the following files:

  • %temp%\­log.ewb
  • %temp%\­log.ewbt
  • %temp%\­log.bin
  • %temp%\­policies.dat
  • %localappdata%\­1

Please enable Javascript to ensure correct displaying of this content and refresh this page.