Win32/Chksyn [Threat Name] go to Threat

Win32/Chksyn.AR [Threat Variant Name]

Category trojan
Size 347648 B
Detection created Jan 20, 2016
Detection database version 12900
Aliases Trojan.Win32.Waldek.cgb (Kaspersky)
  TrojanDropper:Win32/Evotob.B (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %appdata%\­Mozilla\­svchoste.exe
  • %malwarefolder%\­setup.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Generic Host Process" = "%appdata%\­Mozilla\­svchoste.exe"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion]
    • "wowsys64datecheck" = "1"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion]
    • "ZonesSecurityTestUpgrade" = "1"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion]
    • "WinNtM" = "1"
    • "WinNtAv" = "1"
    • "WinNtAr" = "1"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Microsoft Antimalware\­Exclusions\­Extensions]
    • "*.exe" = 0
    • "*.dll" = 0
    • "*.tmp" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows Defender\­Exclusions\­Extension]
    • "*.exe" = 0
    • "*.dll" = 0
    • "*.tmp" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Microsoft Antimalware\­Exclusions\­Processes]
    • "afwqs.exe" = 0
    • "rgjdu.exe" = 0
    • "explorer.exe" = 0
    • "spoolsv.exe" = 0
    • "rundll32.exe" = 0
    • "consent.exe" = 0
    • "svchost.exe" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows Defender\­Exclusions\­Processes]
    • "afwqs.exe" = 0
    • "rgjdu.exe" = 0
    • "explorer.exe" = 0
    • "spoolsv.exe" = 0
    • "rundll32.exe" = 0
    • "consent.exe" = 0
    • "svchost.exe" = 0
  • [HKEY_LOCAL_MACHINE\­system\­currentcontrolset\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile]
    • "EnableFirewall" = 0
    • "DoNotAllowExceptions" = 0
    • "DisableNotifications" = 1
  • [HKEY_LOCAL_MACHINE\­system\­currentcontrolset\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­PublicProfile]
    • "EnableFirewall" = 0
    • "DoNotAllowExceptions" = 0
    • "DisableNotifications" = 1
  • [HKEY_LOCAL_MACHINE\­system\­currentcontrolset\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­DomainProfile]
    • "EnableFirewall" = 0
    • "DoNotAllowExceptions" = 0
    • "DisableNotifications" = 1
  • [HKEY_LOCAL_MACHINE\­system\­currentcontrolset\­Services\­SharedAccess]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center]
    • "AntiVirusDisableNotify" = 1
    • "AntiVirusOverride" = 1
    • "FirewallDisableNotify" = 1
    • "FirewallOverride" = 1
    • "UpdatesDisableNotify" = 1
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Protected Storage System Provider]
    • "ExtraData" = %binval1%
    • "System" = %binval2%
    • "Settings" = "%variable%"

A string with variable content is used instead of %variable% .

Information stealing

The trojan collects the following information:

  • volume serial number
  • computer name
  • operating system version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan may affect the behavior of the following applications:

  • Malwarebytes Anti-Malware
  • AVG Antivirus Protection
  • Avira Antivirus
  • Windows Defender

The trojan may delete the following files:

  • %avirafolder%\­TEMP\­avwin.ini
  • %programdata%\­Malwarebytes\­Malwarebytes Anti-Malware\­exclusions.dat
  • %programdata%\­Malwarebytes\­Malwarebytes Anti-Malware\­Configuration\­settings.conf
  • %programdata%\­Malwarebytes\­Malwarebytes Anti-Malware\­Configuration\­scheduler.conf
  • %allusersprofile%\­Malwarebytes\­Malwarebytes Anti-Malware\­exclusions.dat
  • %allusersprofile%\­Malwarebytes\­Malwarebytes Anti-Malware\­Configuration\­settings.conf
  • %allusersprofile%\­Malwarebytes\­Malwarebytes Anti-Malware\­Configuration\­scheduler.conf

The trojan may delete the following folders:

  • %avgfolder%\­Avg2011\­update
  • %avgfolder%\­Avg2012\­update
  • %avgfolder%\­Avg2013\­update
  • %avgfolder%\­Avg2014\­update
  • %avgfolder%\­Avg2015\­update

The following files may be dropped:

  • %avirafolder%\­TEMP\­avwin.ini
  • %avgfolder%\­Avg2011\­update\­download
  • %avgfolder%\­Avg2012\­update\­download
  • %avgfolder%\­Avg2013\­update\­download
  • %avgfolder%\­Avg2014\­update\­download
  • %avgfolder%\­Avg2015\­update\­download
  • %programdata%\­Malwarebytes\­Malwarebytes Anti-Malware\­exclusions.dat
  • %programdata%\­Malwarebytes\­Malwarebytes Anti-Malware\­Configuration\­settings.conf
  • %programdata%\­Malwarebytes\­Malwarebytes Anti-Malware\­Configuration\­scheduler.conf
  • %allusersprofile%\­Malwarebytes\­Malwarebytes Anti-Malware\­exclusions.dat
  • %allusersprofile%\­Malwarebytes\­Malwarebytes Anti-Malware\­Configuration\­settings.conf
  • %allusersprofile%\­Malwarebytes\­Malwarebytes Anti-Malware\­Configuration\­scheduler.conf

The trojan terminates processes with any of the following strings in the path:

  • mbam.exe

The trojan may execute the following commands:

  • net stop MpsSvc
  • net stop WinDefend
  • "%avirafolder%\­avconfig.exe" /SAVEAVWININI="avwin.ini"
  • cmd.exe /c rmdir /S /Q "%avgfolder%\­Avg2011\­update"
  • cmd.exe /c rmdir /S /Q "%avgfolder%\­Avg2012\­update"
  • cmd.exe /c rmdir /S /Q "%avgfolder%\­Avg2013\­update"
  • cmd.exe /c rmdir /S /Q "%avgfolder%\­Avg2014\­update"
  • cmd.exe /c rmdir /S /Q "%avgfolder%\­Avg2015\­update"

The trojan can create and run a new thread with its own program code within the following processes:

  • svchost.exe
  • explorer.exe

To gain administrator access rights it attempts to exploit one of the following vulnerabilities:


* CVE-2013-3660


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • set up a proxy server

Please enable Javascript to ensure correct displaying of this content and refresh this page.