Win32/Cefyns [Threat Name] go to Threat

Win32/Cefyns.A [Threat Variant Name]

Category trojan
Size 208896 B
Detection created Mar 01, 2011
Detection database version 5918
Aliases TrojanDropper:Win32/Cefyns.A (Microsoft)
Short description

Win32/Cefyns.A is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­%malwarefilename%

The trojan creates the following files:

  • %programfiles%\­altcmd\­altcmd32.dll (184320 B)
  • %programfiles%\­altcmd\­uninstall.bat
  • %programfiles%\­altcmd\­altcmd.inf

The trojan may create the following files:

  • %temp%\­1.bat
  • %temp%\­1.tmp
  • %appdata%\­9emp3.exe
  • %appdata%\­f1.csv

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­altcompare]
    • "DisplayName" = "altcompare"
    • "UninstallString" = "%programfiles%\­altcmd\­uninstall.bat"
    • "DisplayIcon" = "C:\­program.exe,0"
    • "DisplayVersion" = "1.137.1.31"
    • "EstimatedSize" = "20"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{2A8D06B4-1B40-009F-E531-629A59080F43}]
    • "(Default)" = "BhoApp Class"
    • "ProgID" = "hzfeL1.BhoApp.1"
    • "TypeLib" = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"
    • "VersionIndependentProgID" = "hzfeL1.BhoApp"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{2A8D06B4-1B40-009F-E531-629A59080F43}\­InprocServer32]
    • "(Default)" = "%programfiles%\­altcmd\­altcmd32.dll"
    • "ThreadingModel" = "Apartment"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­hzfeL1.BhoApp]
    • "(Default)" = "BhoApp Class"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­hzfeL1.BhoApp\­CLSID]
    • "(Default)" = "{2A8D06B4-1B40-009F-E531-629A59080F43}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­hzfeL1.BhoApp\­CurVer]
    • "(Default)" = "hzfeL1.BhoApp.1"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­hzfeL1.BhoApp.1]
    • "(Default)" = "BhoApp Class"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­hzfeL1.BhoApp.1\­CLSID]
    • "(Default)" = "{2A8D06B4-1B40-009F-E531-629A59080F43}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}]
    • "(Default)" = "_IBhoAppEvents"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\­ProxyStubClsid]
    • "(Default)" = "{00020420-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\­ProxyStubClsid32]
    • "(Default)" = "{00020420-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\­TypeLib]
    • "(Default)" = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"
    • "Version" = "1.0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}]
    • "(Default)" = "IBhoApp"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\­TypeLib]
    • "(Default)" = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"
    • "Version" = "1.0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{A8954909-1F0F-41A5-A7FA-3B376D69E226}\­1.0]
    • "(Default)" = "MsVCL1 1.0 Type Library"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{A8954909-1F0F-41A5-A7FA-3B376D69E226}\­1.0\­0\­win32]
    • "(Default)" = "%programfiles%\­altcmd\­altcmd32.dll"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{A8954909-1F0F-41A5-A7FA-3B376D69E226}\­1.0\­FLAGS]
    • "(Default)" = "0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{A8954909-1F0F-41A5-A7FA-3B376D69E226}\­1.0\­HELPDIR]
    • "(Default)" = "%programfiles%\­altcmd\­"
Other information

The trojan affects the behavior of the following applications:

  • iexplore.exe

The trojan hooks the following Windows APIs:

  • HttpAddRequestHeadersA (wininet.dll)
  • HttpOpenRequestA (wininet.dll)

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (4) URLs. The HTTP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • monitor network traffic
  • redirect network traffic
  • delete Registry entries
  • create Registry entries

Please enable Javascript to ensure correct displaying of this content and refresh this page.