MSIL/Smeazymo [Threat Name] go to Threat

MSIL/Smeazymo.B [Threat Variant Name]

Category trojan
Size 77312 B
Detection created Sep 07, 2015
Detection database version 12217
Aliases Trojan-Downloader.MSIL.Crypted.hg (Kaspersky)
  Trojan:Win32/Skeeyah.A!bit (Microsoft)
Short description

MSIL/Smeazymo.B is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan copies itself into the following location:

  • %localappdata%\­%variable0%

The %variable0% is one of the following strings:

  • Ancode.exe
  • Anottrans.exe
  • Aplamhex.exe
  • Bamtechno.exe
  • Canlatlane.exe
  • Care-lane.exe
  • Cityfan.exe
  • Citytech.exe
  • Codelex.exe
  • Con-trans.exe
  • Conedex.exe
  • Coneholdings.exe
  • D-core.exe
  • Daltron.exe
  • Dalttech.exe
  • Dalttrans.exe
  • Damfase.exe
  • Damhouse.exe
  • Damtom.exe
  • dentoing.exe
  • Dingline.exe
  • Dingtechno.exe
  • Domcan.exe
  • Domzahow.exe
  • Donelectronics.exe
  • dong-tom.exe
  • Doning.exe
  • Donquotex.exe
  • dontouch.exe
  • double-city.exe
  • Doublebase.exe
  • Doubleis.exe
  • Doubletam.exe
  • E-dex.exe
  • E-how.exe
  • Fase-ron.exe
  • fasefan.exe
  • Faseway.exe
  • Fixlux.exe
  • freebase.exe
  • Freshtom.exe
  • Fundamin.exe
  • Ganjalax.exe
  • Grooveing.exe
  • Hatex.exe
  • Hexit.exe
  • Hexjoyway.exe
  • Hextexon.exe
  • High-dexon.exe
  • Highdom.exe
  • hotcan.exe
  • Hotdox.exe
  • Howzamtech.exe
  • Iceelectronics.exe
  • Icelax.exe
  • inchlex.exe
  • Isruncan.exe
  • Istexon.exe
  • itcom.exe
  • J-how.exe
  • jaytechno.exe
  • Jobtechi.exe
  • Joymedia.exe
  • K-it.exe
  • Kinnix.exe
  • Konk-hex.exe
  • Konkstrip.exe
  • Kontripzap.exe
  • Labsoltax.exe
  • Laelectronics.exe
  • Lajoyla.exe
  • Lamtone.exe
  • Lasantouch.exe
  • Latcane.exe
  • Latcore.exe
  • Latech.exe
  • lexikix.exe
  • Linezooity.exe
  • Lot-media.exe
  • Lotcorporation.exe
  • Lottexon.exe
  • Mathtam.exe
  • Matity.exe
  • Matlane.exe
  • Mattanix.exe
  • mediadom.exe
  • Mediaex.exe
  • Mediafan.exe
  • Movefan.exe
  • Moveis.exe
  • Namhex.exe
  • Newfinhigh.exe
  • Newholdings.exe
  • Nimdexon.exe
  • Nimline.exe
  • Nimzatbase.exe
  • Ontoplanet.exe
  • opeline.exe
  • Ozercare.exe
  • Physdrill.exe
  • Planetjob.exe
  • Planetlux.exe
  • Planettone.exe
  • Plexbase.exe
  • plexgreen.exe
  • Quadtex.exe
  • quoquote.exe
  • Quoteelectrics.exe
  • Qvojoplus.exe
  • Ran-lex.exe
  • Ranelectronics.exe
  • Ranktex.exe
  • Ranktom.exe
  • Reit.exe
  • retechno.exe
  • Runlux.exe
  • Sailfase.exe
  • Salttex.exe
  • sancan.exe
  • Sancode.
  • Sancode.exe
  • sandex.exe
  • Sanlatron.exe
  • Saodom.exe
  • saogreen.exe
  • Saolax.exe
  • Saoranity.exe
  • saotech.exe
  • Scot-lane.exe
  • Scot-lax.exe
  • Scotcane.exe
  • Silbam.exe
  • Silcan.exe
  • Silhatcity.exe
  • siliconcity.exe
  • siliconin.exe
  • Sillux.exe
  • Siltech.exe
  • Siltechnology.exe
  • silverhex.exe
  • silvernix.exe
  • Singleholding.exe
  • Sontrans.exe
  • Statlux.exe
  • statstrip.exe
  • Streetice.exe
  • Stripin.exe
  • Subelectrics.exe
  • subhex.exe
  • sumcorporation.exe
  • Suncity.exe
  • Suntexon.exe
  • Superdax.exe
  • Supertouch.exe
  • tamptam.exe
  • Tamptone.exe
  • tandrill.exe
  • Tanis.exe
  • Techitrax.exe
  • Technotam.exe
  • Technozone.exe
  • Tinfax.exe
  • Tonotline.exe
  • Toughcan.exe
  • toughdexon.exe
  • toughity.exe
  • Transfase.exe
  • trestech.exe
  • Triolotdom.exe
  • U-cane.exe
  • U-street.exe
  • unafix.exe
  • Unocare.exe
  • Unodox.exe
  • Unojoyfix.exe
  • Vaiahigh.exe
  • Vaiaholding.exe
  • Vilaex.exe
  • Vilafase.exe
  • Villabase.exe
  • Villalab.exe
  • Vivahouse.exe
  • Volity.exe
  • Voltfase.exe
  • X-code.exe
  • Xx-lex.exe
  • Xxx-line.exe
  • Y-ex.exe
  • Y-fan.exe
  • Yearquadfan.exe
  • Zaamzim.exe
  • Zamcom.exe
  • Zath-zone.exe
  • Zathzobam.exe
  • Zencorporation.exe
  • Zercon.exe
  • Zimremice.exe
  • Zoobam.exe
  • Zootechi.exe
  • Zottechi.exe

The trojan registers itself as a system service using the following name:

  • %servicename%

This causes the trojan to be executed on every system start.


The trojan executes the following commands:

  • C:\­Windows\­System32\­cmd.exe /c "sc create "%servicename%" binPath= "%localappdata%\­%variable0% %variable1% %servicename%" DisplayName= "%variable2%" start= "auto""
  • sc failure "%servicename%" reset= 0 actions= restart/0
  • sc description "%servicename%" "%variable2%"

The trojan may execute the following commands:

  • C:\­Windows\­System32\­cmd.exe /c SCHTASKS.exe /Create /F /TN "%variable1%" /TR "%localappdata%\­%variable0% %random1% %random2%" /SC onlogon /RL HIGHEST /ru "SYSTEM"

The %variable1% is one of the following strings:

  • absaroducu
  • absprqduua
  • aoonloaduo
  • aounaoadua
  • aownljaduo
  • aroductpeo
  • bebproduct
  • bespakduct
  • bpdaee
  • compyoduct
  • comwedatey
  • csmupdate
  • ddwnlzad
  • dmdattu
  • dnwnload
  • dnwnuondup
  • doanload
  • doenlcaddo
  • doiiload
  • doinloaddm
  • doonioad
  • doonloader
  • dowaeoad
  • dowbeoadua
  • doweloadie
  • dowiloadup
  • dowiloaoil
  • downibad
  • downioaa
  • downioadwi
  • downkzhd
  • downlday
  • downljqq
  • downlkadqi
  • downloacyi
  • download
  • downloaden
  • downloadex
  • downloadin
  • downloadpi
  • downloadx
  • downloae
  • downlohd
  • downlpad
  • downlsad
  • downlsadio
  • downlzhiup
  • downqoadai
  • downukadqp
  • downyoadpw
  • downyoadup
  • dowoload
  • dowoloadad
  • dowtloddyr
  • dowuloadan
  • dowuloadup
  • doynload
  • doyyloadrw
  • dpynloae
  • dqwuloadio
  • dtynloadil
  • dwwnioad
  • eebxpdate
  • egtraupddt
  • ehwnload
  • entdownloa
  • entdtwojoz
  • eproduct
  • eprodukt
  • eroduat
  • eupdateddw
  • euroauct
  • exkcdvtemp
  • extradoynl
  • extraproou
  • exupdatead
  • greshdnanl
  • gyroductdo
  • ineupdwte
  • innproduct
  • intupratep
  • intyownloa
  • inyraupuat
  • iosnload
  • iowneoadup
  • iproduct
  • iroduct
  • iroductuol
  • irowuit
  • mpdaqe
  • mrodmct
  • netupodtep
  • neweowyooa
  • noajoyneot
  • nowuedctep
  • nqeproduct
  • nzwupdxtep
  • orodzctdog
  • paoduct
  • pcoductpro
  • peoductoow
  • pioduct
  • pmmduet
  • poodhct
  • posdoonioa
  • posuownooa
  • prcduai
  • prcduct
  • prfoucrdow
  • prgductyy
  • prhduct
  • prmauct
  • prmdbctpro
  • proauctpro
  • prodlct
  • prodnct
  • prodqcn
  • prodrco
  • produatpzo
  • producadoo
  • produci
  • produco
  • producoupd
  • product
  • productdet
  • productdqw
  • producthpd
  • productlie
  • productupd
  • producu
  • producy
  • produet
  • produurdow
  • proiuctpro
  • propsctpyo
  • prouuct
  • prrducu
  • prtductad
  • pupductera
  • pyodqct
  • pyoductprh
  • rbupdctweu
  • rkdownilad
  • turodhct
  • uadatedjwn
  • uadatj
  • uedatqdowu
  • ueoatj
  • uodate
  • uodateao
  • uodvye
  • upaaip
  • upaate
  • updaad
  • updaie
  • updaiqarod
  • update
  • updateama
  • updatedoon
  • updatedown
  • updateerod
  • updateino
  • updateupda
  • updatjuoon
  • updatwupda
  • updayeline
  • updcte
  • updfae
  • updgteeece
  • updntedown
  • updqteprca
  • updqteprod
  • updvte
  • updzteuudc
  • upeate
  • upeatrarod
  • upuate
  • upuste
  • upyateupda
  • upyatg
  • upyatq
  • urhduct
  • uroduce
  • uuaate
  • uudateprod
  • uydate
  • uzdayedown
  • vpaate
  • webdobnloa
  • webdpwneob
  • webupdatep
  • weoprvduct
  • wntrauwxat
  • xldatza
  • yeedownlxa
  • yesojwnloa
  • yownloaddo
  • yownloadpr
  • yroeuct
  • zpoctedown

The %variable2% is one of the following strings:

  • Airstring
  • Alpha Jaydom
  • Alphabam
  • Ancof
  • Angoflex
  • Antough
  • Bam Eco
  • Betajob
  • Bigtip
  • Bigwarm
  • Bio Dubkix
  • Bionamfind
  • Blueair
  • Cansing
  • Canzoztough
  • Coftough
  • Dam Bam
  • Damex
  • Dento-Dox
  • Ding Eco
  • Ding Sonhold
  • Domlex
  • Donfix
  • Donflex
  • Donsailtrax
  • Dontop
  • Double Quofind
  • Drip Latlab
  • Dripcom
  • Driptop
  • Duo Plus
  • Duoair
  • Duobam
  • Eco-Soft
  • Fax-Warm
  • Fin Joyplus
  • Fixsoft
  • Freelab
  • Fresh-Sing
  • Freshfax
  • Fun Hattip
  • Geo-Zap
  • Geodom
  • Geolight
  • Gold Cantax
  • Golden Sailkix
  • Goldensoft
  • Goldentohold
  • Gravelight
  • Gravestock
  • Gravetex
  • Hatcanstring
  • Hattone
  • Holdtonflex
  • Home-Fax
  • Hot Is
  • Hothatlab
  • Hottinfan
  • Hotzimtax
  • Icerunfresh
  • Icetam
  • Inch-Warm
  • Inchhold
  • Inchwarm
  • Incof
  • It Sing
  • Jobdax
  • Jobfix
  • Jobtrax
  • Kan Quofind
  • Konkfresh
  • La Core
  • Lam Sunair
  • Lamsing
  • Lamtip
  • Lat Oveis
  • Latair
  • Lexi Andox
  • Lexifax
  • Lotit
  • Mathdonity
  • Mathstock
  • Matin
  • Med-Com
  • Medron
  • Movesunlam
  • Movetex
  • New Tech
  • Newlight
  • Nimflex
  • Nimlamjob
  • Ontoex
  • Ontotax
  • Open Plus
  • Ozerex
  • Ozerkeyhold
  • Phys-Com
  • Physdox
  • Plus Lam
  • Pluswarm
  • Quad Zozlux
  • Quote Top
  • Ran-Lux
  • Ranfan
  • Rankix
  • Round Tex
  • Rundax
  • S-ity
  • Sailing
  • Salt In
  • San-Phase
  • Sao-Stock
  • Saotex
  • Saotouch
  • Scotrundex
  • Sil-Lam
  • Sildax
  • Silkayzap
  • Sing Quadsoft
  • Singlezap
  • Soft Redplus
  • Softdax
  • Softex
  • Softfresh
  • Sololux
  • Son-It
  • Stanfix
  • Stantex
  • Stim Trax
  • Stimbam
  • Stimis
  • Stimtandax
  • Strongcore
  • Strongdex
  • Strongla
  • Strongplus
  • Strongtax
  • Sub Dom
  • Sum Tex
  • Sumtam
  • Sunlight
  • Supernix
  • Tam Lotbam
  • Tamfix
  • Tampity
  • Tamtam
  • Tanstock
  • Tech-Nix
  • Techdinla
  • Tempwarm
  • Ton Cantex
  • Tonfresh
  • Tonwarm
  • Topsolwarm
  • Touchla
  • Touchzap
  • Tough-Cof
  • Trippleflex
  • Trippletintax
  • Trust Solstring
  • U- Saotip
  • U- Zaming
  • Unafind
  • Unidom
  • Uno Saoit
  • Unotone
  • Ventostatron
  • Vila Zimtough
  • Villatouch
  • Viva Santex
  • Viva Zeneco
  • Viva-Lex
  • Vivaotdox
  • Vivasoncore
  • Vol Latin
  • Vol-Flex
  • Volplus
  • Volttech
  • Voya Com
  • Voyasonplus
  • Whitesing
  • X-bam
  • X-plus
  • Xxx- Soft
  • Yearfan
  • Yearlax
  • Yearlotron
  • Zaam-In
  • Zath Fax
  • Zen-Fax
  • Zimlux
  • Zone-Eco
  • Zoneron
  • Zoo Soltrax
  • Zoofresh
  • Zoom Trax
  • Zoomlux
  • Zoozap
  • Zum Hotsing
  • Zumfax

The %servicename% consists of some of the following strings:

  • %variable1% %variable2%
Other information

The trojan contains a list of (2) URLs.


The trojan tries to download a file from the Internet.


The file is stored in the following location:

  • %temp%\­%variable%.tmp

The file is then executed. The HTTP, HTTPS protocol is used.


A string with variable content is used instead of %variable% .


Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.