MSIL/Smeazymo [Threat Name] go to Threat
MSIL/Smeazymo.B [Threat Variant Name]
| Category | trojan |
| Size | 77312 B |
| Detection created | Sep 07, 2015 |
| Detection database version | 12217 |
| Aliases | Trojan-Downloader.MSIL.Crypted.hg (Kaspersky) |
| Trojan:Win32/Skeeyah.A!bit (Microsoft) |
Short description
MSIL/Smeazymo.B is a trojan which tries to download other malware from the Internet.
Installation
When executed, the trojan copies itself into the following location:
- %localappdata%\%variable0%
The %variable0% is one of the following strings:
- Ancode.exe
- Anottrans.exe
- Aplamhex.exe
- Bamtechno.exe
- Canlatlane.exe
- Care-lane.exe
- Cityfan.exe
- Citytech.exe
- Codelex.exe
- Con-trans.exe
- Conedex.exe
- Coneholdings.exe
- D-core.exe
- Daltron.exe
- Dalttech.exe
- Dalttrans.exe
- Damfase.exe
- Damhouse.exe
- Damtom.exe
- dentoing.exe
- Dingline.exe
- Dingtechno.exe
- Domcan.exe
- Domzahow.exe
- Donelectronics.exe
- dong-tom.exe
- Doning.exe
- Donquotex.exe
- dontouch.exe
- double-city.exe
- Doublebase.exe
- Doubleis.exe
- Doubletam.exe
- E-dex.exe
- E-how.exe
- Fase-ron.exe
- fasefan.exe
- Faseway.exe
- Fixlux.exe
- freebase.exe
- Freshtom.exe
- Fundamin.exe
- Ganjalax.exe
- Grooveing.exe
- Hatex.exe
- Hexit.exe
- Hexjoyway.exe
- Hextexon.exe
- High-dexon.exe
- Highdom.exe
- hotcan.exe
- Hotdox.exe
- Howzamtech.exe
- Iceelectronics.exe
- Icelax.exe
- inchlex.exe
- Isruncan.exe
- Istexon.exe
- itcom.exe
- J-how.exe
- jaytechno.exe
- Jobtechi.exe
- Joymedia.exe
- K-it.exe
- Kinnix.exe
- Konk-hex.exe
- Konkstrip.exe
- Kontripzap.exe
- Labsoltax.exe
- Laelectronics.exe
- Lajoyla.exe
- Lamtone.exe
- Lasantouch.exe
- Latcane.exe
- Latcore.exe
- Latech.exe
- lexikix.exe
- Linezooity.exe
- Lot-media.exe
- Lotcorporation.exe
- Lottexon.exe
- Mathtam.exe
- Matity.exe
- Matlane.exe
- Mattanix.exe
- mediadom.exe
- Mediaex.exe
- Mediafan.exe
- Movefan.exe
- Moveis.exe
- Namhex.exe
- Newfinhigh.exe
- Newholdings.exe
- Nimdexon.exe
- Nimline.exe
- Nimzatbase.exe
- Ontoplanet.exe
- opeline.exe
- Ozercare.exe
- Physdrill.exe
- Planetjob.exe
- Planetlux.exe
- Planettone.exe
- Plexbase.exe
- plexgreen.exe
- Quadtex.exe
- quoquote.exe
- Quoteelectrics.exe
- Qvojoplus.exe
- Ran-lex.exe
- Ranelectronics.exe
- Ranktex.exe
- Ranktom.exe
- Reit.exe
- retechno.exe
- Runlux.exe
- Sailfase.exe
- Salttex.exe
- sancan.exe
- Sancode.
- Sancode.exe
- sandex.exe
- Sanlatron.exe
- Saodom.exe
- saogreen.exe
- Saolax.exe
- Saoranity.exe
- saotech.exe
- Scot-lane.exe
- Scot-lax.exe
- Scotcane.exe
- Silbam.exe
- Silcan.exe
- Silhatcity.exe
- siliconcity.exe
- siliconin.exe
- Sillux.exe
- Siltech.exe
- Siltechnology.exe
- silverhex.exe
- silvernix.exe
- Singleholding.exe
- Sontrans.exe
- Statlux.exe
- statstrip.exe
- Streetice.exe
- Stripin.exe
- Subelectrics.exe
- subhex.exe
- sumcorporation.exe
- Suncity.exe
- Suntexon.exe
- Superdax.exe
- Supertouch.exe
- tamptam.exe
- Tamptone.exe
- tandrill.exe
- Tanis.exe
- Techitrax.exe
- Technotam.exe
- Technozone.exe
- Tinfax.exe
- Tonotline.exe
- Toughcan.exe
- toughdexon.exe
- toughity.exe
- Transfase.exe
- trestech.exe
- Triolotdom.exe
- U-cane.exe
- U-street.exe
- unafix.exe
- Unocare.exe
- Unodox.exe
- Unojoyfix.exe
- Vaiahigh.exe
- Vaiaholding.exe
- Vilaex.exe
- Vilafase.exe
- Villabase.exe
- Villalab.exe
- Vivahouse.exe
- Volity.exe
- Voltfase.exe
- X-code.exe
- Xx-lex.exe
- Xxx-line.exe
- Y-ex.exe
- Y-fan.exe
- Yearquadfan.exe
- Zaamzim.exe
- Zamcom.exe
- Zath-zone.exe
- Zathzobam.exe
- Zencorporation.exe
- Zercon.exe
- Zimremice.exe
- Zoobam.exe
- Zootechi.exe
- Zottechi.exe
The trojan registers itself as a system service using the following name:
- %servicename%
This causes the trojan to be executed on every system start.
The trojan executes the following commands:
- C:\Windows\System32\cmd.exe /c "sc create "%servicename%" binPath= "%localappdata%\%variable0% %variable1% %servicename%" DisplayName= "%variable2%" start= "auto""
- sc failure "%servicename%" reset= 0 actions= restart/0
- sc description "%servicename%" "%variable2%"
The trojan may execute the following commands:
- C:\Windows\System32\cmd.exe /c SCHTASKS.exe /Create /F /TN "%variable1%" /TR "%localappdata%\%variable0% %random1% %random2%" /SC onlogon /RL HIGHEST /ru "SYSTEM"
The %variable1% is one of the following strings:
- absaroducu
- absprqduua
- aoonloaduo
- aounaoadua
- aownljaduo
- aroductpeo
- bebproduct
- bespakduct
- bpdaee
- compyoduct
- comwedatey
- csmupdate
- ddwnlzad
- dmdattu
- dnwnload
- dnwnuondup
- doanload
- doenlcaddo
- doiiload
- doinloaddm
- doonioad
- doonloader
- dowaeoad
- dowbeoadua
- doweloadie
- dowiloadup
- dowiloaoil
- downibad
- downioaa
- downioadwi
- downkzhd
- downlday
- downljqq
- downlkadqi
- downloacyi
- download
- downloaden
- downloadex
- downloadin
- downloadpi
- downloadx
- downloae
- downlohd
- downlpad
- downlsad
- downlsadio
- downlzhiup
- downqoadai
- downukadqp
- downyoadpw
- downyoadup
- dowoload
- dowoloadad
- dowtloddyr
- dowuloadan
- dowuloadup
- doynload
- doyyloadrw
- dpynloae
- dqwuloadio
- dtynloadil
- dwwnioad
- eebxpdate
- egtraupddt
- ehwnload
- entdownloa
- entdtwojoz
- eproduct
- eprodukt
- eroduat
- eupdateddw
- euroauct
- exkcdvtemp
- extradoynl
- extraproou
- exupdatead
- greshdnanl
- gyroductdo
- ineupdwte
- innproduct
- intupratep
- intyownloa
- inyraupuat
- iosnload
- iowneoadup
- iproduct
- iroduct
- iroductuol
- irowuit
- mpdaqe
- mrodmct
- netupodtep
- neweowyooa
- noajoyneot
- nowuedctep
- nqeproduct
- nzwupdxtep
- orodzctdog
- paoduct
- pcoductpro
- peoductoow
- pioduct
- pmmduet
- poodhct
- posdoonioa
- posuownooa
- prcduai
- prcduct
- prfoucrdow
- prgductyy
- prhduct
- prmauct
- prmdbctpro
- proauctpro
- prodlct
- prodnct
- prodqcn
- prodrco
- produatpzo
- producadoo
- produci
- produco
- producoupd
- product
- productdet
- productdqw
- producthpd
- productlie
- productupd
- producu
- producy
- produet
- produurdow
- proiuctpro
- propsctpyo
- prouuct
- prrducu
- prtductad
- pupductera
- pyodqct
- pyoductprh
- rbupdctweu
- rkdownilad
- turodhct
- uadatedjwn
- uadatj
- uedatqdowu
- ueoatj
- uodate
- uodateao
- uodvye
- upaaip
- upaate
- updaad
- updaie
- updaiqarod
- update
- updateama
- updatedoon
- updatedown
- updateerod
- updateino
- updateupda
- updatjuoon
- updatwupda
- updayeline
- updcte
- updfae
- updgteeece
- updntedown
- updqteprca
- updqteprod
- updvte
- updzteuudc
- upeate
- upeatrarod
- upuate
- upuste
- upyateupda
- upyatg
- upyatq
- urhduct
- uroduce
- uuaate
- uudateprod
- uydate
- uzdayedown
- vpaate
- webdobnloa
- webdpwneob
- webupdatep
- weoprvduct
- wntrauwxat
- xldatza
- yeedownlxa
- yesojwnloa
- yownloaddo
- yownloadpr
- yroeuct
- zpoctedown
The %variable2% is one of the following strings:
- Airstring
- Alpha Jaydom
- Alphabam
- Ancof
- Angoflex
- Antough
- Bam Eco
- Betajob
- Bigtip
- Bigwarm
- Bio Dubkix
- Bionamfind
- Blueair
- Cansing
- Canzoztough
- Coftough
- Dam Bam
- Damex
- Dento-Dox
- Ding Eco
- Ding Sonhold
- Domlex
- Donfix
- Donflex
- Donsailtrax
- Dontop
- Double Quofind
- Drip Latlab
- Dripcom
- Driptop
- Duo Plus
- Duoair
- Duobam
- Eco-Soft
- Fax-Warm
- Fin Joyplus
- Fixsoft
- Freelab
- Fresh-Sing
- Freshfax
- Fun Hattip
- Geo-Zap
- Geodom
- Geolight
- Gold Cantax
- Golden Sailkix
- Goldensoft
- Goldentohold
- Gravelight
- Gravestock
- Gravetex
- Hatcanstring
- Hattone
- Holdtonflex
- Home-Fax
- Hot Is
- Hothatlab
- Hottinfan
- Hotzimtax
- Icerunfresh
- Icetam
- Inch-Warm
- Inchhold
- Inchwarm
- Incof
- It Sing
- Jobdax
- Jobfix
- Jobtrax
- Kan Quofind
- Konkfresh
- La Core
- Lam Sunair
- Lamsing
- Lamtip
- Lat Oveis
- Latair
- Lexi Andox
- Lexifax
- Lotit
- Mathdonity
- Mathstock
- Matin
- Med-Com
- Medron
- Movesunlam
- Movetex
- New Tech
- Newlight
- Nimflex
- Nimlamjob
- Ontoex
- Ontotax
- Open Plus
- Ozerex
- Ozerkeyhold
- Phys-Com
- Physdox
- Plus Lam
- Pluswarm
- Quad Zozlux
- Quote Top
- Ran-Lux
- Ranfan
- Rankix
- Round Tex
- Rundax
- S-ity
- Sailing
- Salt In
- San-Phase
- Sao-Stock
- Saotex
- Saotouch
- Scotrundex
- Sil-Lam
- Sildax
- Silkayzap
- Sing Quadsoft
- Singlezap
- Soft Redplus
- Softdax
- Softex
- Softfresh
- Sololux
- Son-It
- Stanfix
- Stantex
- Stim Trax
- Stimbam
- Stimis
- Stimtandax
- Strongcore
- Strongdex
- Strongla
- Strongplus
- Strongtax
- Sub Dom
- Sum Tex
- Sumtam
- Sunlight
- Supernix
- Tam Lotbam
- Tamfix
- Tampity
- Tamtam
- Tanstock
- Tech-Nix
- Techdinla
- Tempwarm
- Ton Cantex
- Tonfresh
- Tonwarm
- Topsolwarm
- Touchla
- Touchzap
- Tough-Cof
- Trippleflex
- Trippletintax
- Trust Solstring
- U- Saotip
- U- Zaming
- Unafind
- Unidom
- Uno Saoit
- Unotone
- Ventostatron
- Vila Zimtough
- Villatouch
- Viva Santex
- Viva Zeneco
- Viva-Lex
- Vivaotdox
- Vivasoncore
- Vol Latin
- Vol-Flex
- Volplus
- Volttech
- Voya Com
- Voyasonplus
- Whitesing
- X-bam
- X-plus
- Xxx- Soft
- Yearfan
- Yearlax
- Yearlotron
- Zaam-In
- Zath Fax
- Zen-Fax
- Zimlux
- Zone-Eco
- Zoneron
- Zoo Soltrax
- Zoofresh
- Zoom Trax
- Zoomlux
- Zoozap
- Zum Hotsing
- Zumfax
The %servicename% consists of some of the following strings:
- %variable1% %variable2%
Other information
The trojan contains a list of (2) URLs.
The trojan tries to download a file from the Internet.
The file is stored in the following location:
- %temp%\%variable%.tmp
The file is then executed. The HTTP, HTTPS protocol is used.
A string with variable content is used instead of %variable% .
Trojan requires the Microsoft .NET Framework to run.