pátek 24. února 2012

Trojan:Win32/EyeStye.H


Encyclopedia entry
Updated: Apr 17, 2011  |  Published: Nov 24, 2010

Aliases
  • BKDR_QAKBOT.SMC (Trend Micro)
  • Trojan.Win32.Inject.asix (Kaspersky)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.332.0
Released: Feb 24, 2012
Detection initially created:
Definition: 1.87.1998.0
Released: Aug 16, 2010


 

Summary

Trojan:Win32/EyeStye.H is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer.


 

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
  • c:\outbackxxx.exe\config.bin
    c:\outbackxxx.exe\outbackxxx.exe 

  • The presence of the following registry modifications:
  • Adds value: "outbackxxx.exe"
    With data: "c:\outbackxxx.exe\outbackxxx.exe"
    To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run



 

Technical Information (Analysis)

Trojan:Win32/EyeStye.H is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer.
Installation
When executed, Trojan:Win32/EyeStye.H copies itself to c:\outbackxxx.exe\outbackxxx.exe.

 
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "outbackxxx.exe"
With data: "c:\outbackxxx.exe\outbackxxx.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run

 
The malware creates the following files on an affected computer:

  • c:\outbackxxx.exe\config.bin

 
The malware utilizes code injection in order to hinder detection and removal. When Trojan:Win32/EyeStye.H executes, it may inject code into running processes, including the following, for example:
  • explorer.exe
  • lsass.exe
  • svchost.exe
  • winlogon.exe
Payload
Contacts remote host
Trojan:Win32/EyeStye.H may contact a remote host at 91.212.198.60 using port 53. Commonly, malware may contact a remote host for the following purposes:
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer

This malware description was produced and published using our automated analysis system's examination of file SHA158c4916bb78a4ce0d49e736ab20f4f1186fea94d.

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.