Win32/Fynloski [Threat Name] go to Threat

Win32/Fynloski.AN [Threat Variant Name]

Category trojan
Size 731136 B
Detection created Aug 26, 2013
Signature database version 10200
Aliases Trojan.Win32.Dapta.kv (Kaspersky)
  Backdoor:Win32/Fynloski (Microsoft)
  BDS/Fynloski.kayt (Avira)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %variable1%\­%variable2%
  • %systemdrive%\­%variable2%
  • %windir%\­%variable2%
  • %system%\­%variable2%
  • %appdata%\­%variable2%
  • %commonfavorites%\­%variable2%
  • %commonstartmenu%\­%variable2%
  • %commonprograms%\­%variable2%
  • %personal%\­%variable2%
  • %cookies%\­%variable2%
  • %desktop%\­%variable2%
  • %temp%\­%variable2%

The file is then executed.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "UserInit" = "%originalvalue%, %malwarefilepath%"

This causes the trojan to be executed on every system start.


The trojan may create the following files:

  • %temp%\­%variable4%

The files are then executed.


A string with variable content is used instead of %variable1-4% .


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
    • "DisableRegistryTools" = 1
    • "EnableLUA" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile]
    • "EnableFirewall" = 0
    • "DisableNotifications" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Security Center]
    • "AntiVirusDisableNotify" = "1"
    • "UpdatesDisableNotify" = "1"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Service\­wscsvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­CurrentVersion\­Explorern]
    • "NoControlPanel" = "1"

The trojan can create and run a new thread with its own program code within the following processes:

  • %programfiles%\­Internet Explorer\­iexplore.exe
  • %windir%\­explorer.exe
  • notepad.exe
Information stealing

The trojan collects the following information:

  • operating system version
  • information about the operating system and system settings
  • CPU information
  • memory status
  • user name
  • computer name
  • computer IP address
  • network adapter information
  • current screen resolution
  • language settings
  • the path to specific folders
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The TCP protocol is used.


It can execute the following operations:

  • hide taskbar
  • send data to the printer
  • watch the user's screen content
  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • send files to a remote computer
  • capture screenshots
  • open a specific URL address
  • send the list of running processes to a remote computer
  • terminate running processes
  • log keystrokes
  • shut down/restart the computer
  • collect information about the operating system used
  • steal information from the Windows clipboard
  • send the list of disk devices and their type to a remote computer
  • send the list of files on a specific drive to a remote computer
  • various filesystem operations
  • delete files
  • delete folders
  • create folders
  • create files
  • move files
  • start/stop services
  • capture webcam video/voice
  • execute shell commands
  • show/hide application windows
  • block keyboard and mouse input
  • perform port scanning
  • open the CD/DVD drive
  • log off the current user
  • delete Registry entries
  • create Registry entries
  • send gathered information
  • simulate user's input (clicks, taps)
  • display a dialog window
  • obtain the list of shared network folders
  • perform DoS/DDoS attacks

The trojan keeps various information in the following files:

  • %currentfolder%\­%variable1%.dcp
  • %appdata%\­dclogs\­%variable2%.dc

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­DC3_FEXEC]
  • [HKEY_CURRENT_USER\­DC2_USERS\­%variable3%]

A string with variable content is used instead of %variable1-3% .


The trojan hides its running process.


The trojan can be used to gain full access to the compromised computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.