Win32/Fynloski [Threat Name] go to Threat

Win32/Fynloski.AD [Threat Variant Name]

Category trojan
Size 626176 B
Detection created May 30, 2012
Detection database version 7182
Aliases Backdoor:Win32/Fynloski.A (Microsoft)
  Trojan.Keylogger.MWQ (BitDefender)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using ASProtect .

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %windir%\­%variable1%
  • %system%\­%variable1%
  • %appdata%\­%variable1%
  • %favorites%\­%variable1%
  • %startup%\­%variable1%
  • %programs%\­%variable1%
  • %mydocuments%\­%variable1%
  • %cookies%\­%variable1%
  • %desktop%\­%variable1%
  • %drive%\­%variable1%
  • %currentfolder%\­%variable1%

The file is then executed.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%originaldata%, %malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­%variable3%]
    • "StubPath" = "%malwarefilepath%"

This causes the trojan to be executed on every system start.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
    • "DisableRegistryTools" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Security Center]
    • "AntiVirusDisableNotify" = 1
    • "FirewallDisableNotify" = 1
    • "UpdatesDisableNotify" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Policies\­Microsoft\­WindowsFirewall\­StandardProfile]
    • "EnableFirewall" = 0
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­services\­wscsvc]
    • "Start" = 4

A string with variable content is used instead of %variable1-3% .

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan opens TCP port 1604 .


It can execute the following operations:

  • hide taskbar
  • send data to the printer
  • watch the user's screen content
  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • send files to a remote computer
  • capture screenshots
  • open a specific URL address
  • send the list of running processes to a remote computer
  • terminate running processes
  • log keystrokes
  • shut down/restart the computer
  • collect information about the operating system used
  • steal information from the Windows clipboard
  • send the list of disk devices and their type to a remote computer
  • send the list of files on specific drive to a remote computer
  • various filesystem operations
  • delete files
  • delete folders
  • create folders
  • create files
  • move files
  • start/stop services
  • capture webcam video/voice
  • execute shell commands
  • show/hide application windows
  • block keyboard and mouse input
  • perform port scanning
  • open the CD/DVD drive
  • log off the current user
  • delete Registry entries
  • create Registry entries

Please enable Javascript to ensure correct displaying of this content and refresh this page.