Win32/Cycbot [Threat Name] go to Threat

Win32/Cycbot.AF [Threat Variant Name]

Category trojan
Size 126976 B
Detection created Jan 13, 2011
Detection database version 5783
Aliases Trojan.Win32.Scar.drqx (Kaspersky)
  Backdoor.Cycbot (Symantec)
  BackDoor.Gbot.origin (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­Microsoft\­conhost.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "conhost" = "%appdata%\­Microsoft\­conhost.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "conhost" = "%appdata%\­Microsoft\­conhost.exe"
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (39) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • set up a proxy server
  • open ports
  • collect information about the operating system used
  • sending various information about the infected computer
  • various file system operations
  • send gathered information

The trojan collects sensitive information when the user browses certain web sites.


The following keywords are monitored:

  • bing.com
  • yahoo.com
  • .google
  • .virtualearth.
  • .microsoft.
  • .doubleclick.
  • facebook.
  • youtube.
  • wikipedia.
  • ebay.
  • msn
  • amazon.
  • twitter.
  • .opera.
  • search.aol.
  • suche.aol.
  • searcht2.aol.
  • .yimg.com
  • .bing.net
  • scorecardresearch.com
  • brightcove.com
  • .tacoda.
  • .adtechus.
  • .autodatadirect.
  • .mapquestapi.
  • gstatic.
  • googleusercontent.
  • googlesyndication.
  • google-analytics.

The trojan may create the following files:

  • %appdata%\­Microsoft\­gb_5000786.bat

The trojan may execute the following commands:

  • %appdata%\­Microsoft\­gb_5000786.bat

The trojan modifies the following file:

  • %appdata%\­Mozilla\­Firefox\­Profiles\­*\­prefs.js

The trojan interferes with the operation of some security applications to avoid detection.

Please enable Javascript to ensure correct displaying of this content and refresh this page.