Win32/Chyzvis [Threat Name] go to Threat

Win32/Chyzvis.B [Threat Variant Name]

Category worm
Size 238592 B
Aliases Trojan.Win32.Scar.bwot (Kaspersky)
  DLOADER.IRC.Trojan (Dr.Web)
  BackDoor.Ircbot.LUQ.trojan (AVG)
Short description

Win32/Chyzvis.B is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX .

Installation

When executed, the worm copies itself into the following location:

  • %system%\­Sysinfo.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Sysinfo.exe" = "%system%\­Sysinfo.exe"

The worm executes the following command:

  • cmd.exe /K netsh firewall add allowedprogram %system%\­Sysinfo.exe sysupdate ENABLE & exit

The performed command creates an exception in the Windows Firewall.

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • idg2.exe

The following file is dropped in the same folder:

  • Autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm may create the following files:

  • %system%\­nethlp.dll
  • %system%\­winupd.dat
  • %system%\­winupd.apt
  • %system%\­syslog.dll
  • %windows%\­s.jpg

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0

The worm acquires data and commands from a remote computer or the Internet.


The worm connects to the following addresses:

  • vnx.xf.cz
  • leaf.nerv.ne.jp

The FTP, IRC, HTTP protocol is used. It can be controlled remotely.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • open a specific URL address
  • steal information from the Windows clipboard
  • capture screenshots
  • run executable files
  • delete cookies
  • move files

The worm collects information related to the following applications:

  • Total Commander

The worm collects the following information:

  • FTP account information

The worm can send the information to a remote machine. The FTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.