Win32/Agent.YIJ [Threat Name] go to Threat
Win32/Agent.YIJ [Threat Variant Name]
| Category | trojan |
| Size | 124416 B |
| Detection created | Sep 27, 2016 |
| Detection database version | 14187 |
Short description
Win32/Agent.YIJ is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %folder%\%filename%%randomstring%%fileextension%
The %folder% is one of the following strings:
- %programfiles%
- %commonprogramfiles%
- %allusersprofile%
- %userprofile%
- %appdata%
- %temp%
The %filename% is one of the following strings:
- ms
- win
- gdi
- mfc
- vga
- igfx
- user
- help
- config
- update
- regsvc
- chkdsk
- systray
- audiodg
- certmgr
- autochk
- taskhost
- colorcpl
- services
- IconCache
- ThumbCache
- Cookies
%randomstring% represent random text.
The %fileextension% is one of the following strings:
- .exe
- .com
- .scr
- .pif
- .cmd
- .bat
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE|\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable%" = "%malwarefilepath%"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable%" = "%malwarefilepath%"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "%variable%" = "%malwarefilepath%"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "%variable%" = "%malwarefilepath%"
A string with variable content is used instead of %variable% .
This causes the trojan to be executed on every system start.
The trojan creates and runs a new thread with its own program code within the following processes:
- explorer.exe
- %system%\%application%
The %application% is one of the following strings:
- svchost.exe
- msiexec.exe
- wuauclt.exe
- lsass.exe
- wlanext.exe
- msg.exe
- lsm.exe
- dwm.exe
- help.exe
- chkdsk.exe
- cmmon32.exe
- nbtstat.exe
- spoolsv.exe
- rdpclip.exe
- control.exe
- taskhost.exe
- rundll32.exe
- systray.exe
- audiodg.exe
- wininit.exe
- services.exe
- autochk.exe
- autoconv.exe
- autofmt.exe
- cmstp.exe
- colorcpl.exe
- cscript.exe
- explorer.exe
- WWAHost.exe
- ipconfig.exe
- msdt.exe
- mstsc.exe
- NAPSTAT.EXE
- netsh.exe
- NETSTAT.EXE
- raserver.exe
- wscript.exe
- wuapp.exe
- cmd.exe
The trojan injects its code into the following processes:
- explorer.exe
- iexplore.exe
- firefox.exe
- chrome.exe
- microsoftedgecp.exe
- opera.exe
- safari.exe
- torch.exe
- maxthon.exe
- seamonkey.exe
- avant.exe
- deepnet.exe
- dragon.exe
- icedragon.exe
- spark.exe
- browser.exe
- outlook.exe
- poco.exe
- netscp.exe
- foxmail.exe
- incmail.exe
- thunderbird.exe
- barca.exe
- yahoomessenger.exe
- icq.exe
- pidgin.exe
- trillian.exe
- ybrowser.exe
- skype.exe
Information stealing
Win32/Agent.YIJ is a trojan that steals sensitive information.
The trojan collects the following information:
- login user names for certain applications/services
- login passwords for certain applications/services
- user name
- operating system version
The trojan collects various information when a certain application is being used.
The following programs are affected:
- Internet Explorer
- Microsoft Edge
- Microsoft Outlook
- Mozilla Firefox
- Mozilla Thunderbird
- Google Chrome
- Opera
- Safari Browser
- Torch Browser
- Maxthon
- Seamonkey
- Avant Browser
- Deepnet Explorer
- Comodo Dragon
- Comodo IceDragon
- Baidu Spark Browser
- Yandex Browser
- PocoMail
- Barca
- Netscape Navigator
- Foxmail
- Incredimail
- Yahoo Messenger
- ICQ
- Pidgin
- Trillian
- Yahoo! Browser
- Skype
It can execute the following operations:
- log keystrokes
- monitor network traffic
The collected information is stored in the following files:
- %appdata%\%variable1%\%variable2%.ini
A string with variable content is used instead of %variable1-2% .
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (1) URLs. The HTTP protocol is used in the communication.
The network communication with remote computer/server is encrypted.
The trojan may execute the following commands:
- download files from a remote computer and/or the Internet
- run executable files
- terminate running processes
- update itself to a newer version
- delete cookies
- shut down/restart the computer
- send gathered information
- uninstall itself
The trojan hooks the following Windows APIs:
- EncryptMessage (sspicli.dll, secur32.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestW (wininet.dll)
- WSASend (ws2_32.dll)
- PR_Write (nss3.dll, nspr4.dll)
- ssl3_write_app_data (chrome.dll, dragon_s.dll, browser.dll)
- GetMessageA (user32.dll)
- GetMessageW (user32.dll)
- SendMessageA (user32.dll)
- SendMessageW (user32.dll)
- PeekMessageA (user32.dll)
- PeekMessageW (user32.dll)
The trojan can detect presence of debuggers and other analytical tools.
The trojan terminates its execution if it detects that it's running in a specific virtual environment.
The trojan quits immediately if it detects a running process containing one of the following strings in its name:
- vmwareuser.exe
- vmwareservice.exe
- vboxservice.exe
- vboxtray.exe
- sandboxiedcomlaunch.exe
- sandboxierpcss.exe
- procmon.exe
- filemon.exe
- wireshark.exe
- netmon.exe
- prl_tools_service.exe
- prl_tools.exe
- prl_cc.exe
- sharedintapp.exe
- vmtoolsd.exe
- vmsrvc.exe
- vmusrvc.exe
- python.exe
- perl.exe
- regmon.exe
Trojan quits immediately if it detects loaded module within its own process containing one of the following strings in its name:
- sbiedll.dll
- \CUCKOO\
- \SANDCASTLE\
- \ASWSNX\
- \SANDBOX\
- \smpdir\
- \samroot\
- \AVCTestSuite\
The trojan quits immediately if the user name is one of the following:
- sandbox-
- nmsdbox-
- xxxx-ox-
- cwsx-
- wilbert-sc
- xpamast-sc
The trojan contains both 32-bit and 64-bit program components.