Skip to main content

Backdoor.Win32.Fynloski_5b7ecd2a94


Gen:Heur.MSIL.Krypt.85 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.KeyLogger.19357 (DrWeb), Gen:Heur.MSIL.Krypt.85 (B) (Emsisoft), Artemis!5B7ECD2A9453 (McAfee), WS.Reputation.1 (Symantec), Trojan.Inject (Ikarus), Gen:Heur.MSIL.Krypt.85 (FSecure), Inject.ALDM (AVG), MSIL:Injector-FT [Trj] (Avast), TROJ_SCAR.BMC (TrendMicro), Backdoor.Win32.Fynloski.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, BackdoorFynloski.YR, GenericDownloader.YR, GenericInjector.YR, TrojanDownloaderAndromeda.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Backdoor, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 5b7ecd2a9453d7f7879f503d67b7259e

SHA1: f7a5fd1c4c10add76d55d303d5f3a8f5db5fca9d

SHA256: 43f66cb67cd399910f2b286c698cf19e50eea2f05218500bbf941a74d6e41b35

SSDeep: 12288:fGheVNXGxuXEngmvMPvzhHmZB8rr604KiPUwCEesSjRPckKUpWFBct0i7P9fZ:ceDXCuXEgmvM3V6B8rrPeswCPsSj2kKC

Size: 687104 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: no certificate found

Created at: 2013-12-07 10:04:20

Analyzed on: WindowsXP SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):No processes have been created.The Backdoor injects its code into the following process(es):

vbc.exe:2004
%original file name%.exe:1268

File activity

The process vbc.exe:2004 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\MSDCSC\msdcsc.exe (7547 bytes)

Registry activity

The process vbc.exe:2004 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 EE 03 82 00 5E CF 54 A8 F0 92 41 4C 56 44 BA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\All Users\Start Menu\Programs\MSDCSC\msdcsc.exe"

The Backdoor adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Start Menu\Programs\MSDCSC\msdcsc.exe"

The process %original file name%.exe:1268 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A AA 1D 7B 78 8E D8 51 CE 48 C3 A5 90 44 D1 4C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\All Users\Start Menu\Programs\MSDCSC\msdcsc.exe (7547 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "MicroUpdate" = "%Documents and Settings%\All Users\Start Menu\Programs\MSDCSC\msdcsc.exe"

  5. Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Start Menu\Programs\MSDCSC\msdcsc.exe"

  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps