Win32/Fynloski [Threat Name] go to Threat

Win32/Fynloski.AA [Threat Variant Name]

Category trojan
Size 1299038 B
Aliases Backdoor.Win32.DarkKomet.xyk (Kaspersky)
  Backdoor:Win32/Fynloski.A (Microsoft)
  Backdoor.Graybird (Symantec)
  Win32:Delf-SQI (Avast)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself in some of the the following locations:

  • %windir%\­%variable1%
  • %system%\­%variable1%
  • %appdata%\­%variable1%
  • %favorites%\­%variable1%
  • %startup%\­%variable1%
  • %programs%\­%variable1%
  • %personal%\­%variable1%
  • %cookies%\­%variable1%
  • %desktop%\­%variable1%
  • %systemdrive%\­%variable1%
  • %currentfolder%\­%variable1%

The file is then executed.

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%originaldata%, %malwarefilepath%"

This causes the trojan to be executed on every system start.

A string with variable content is used instead of %variable1-2% .

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
    • "DisableRegistryTools" = 1
    • "EnableLUA" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Security Center]
    • "AntiVirusDisableNotify" = "1"
    • "UpdatesDisableNotify" = "1"
  • [HKEY_LOCAL_MACHINE\­Software\­Policies\­Microsoft\­WindowsFirewall\­StandardProfile]
    • "EnableFirewall" = 0
    • "DisableNotifications" = 1
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­services\­wscsvc]
    • "Start" = 4

The trojan can create and run a new thread with its own program code within the following processes:

  • %programfiles%\­Internet Explorer\­iexplore.exe
  • %windir%\­explorer.exe
  • notepad.exe
Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The TCP protocol is used.

It can execute the following operations:

  • hide taskbar
  • send data to the printer
  • watch the user's screen content
  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • send files to a remote computer
  • capture screenshots
  • open a specific URL address
  • send the list of running processes to a remote computer
  • terminate running processes
  • log keystrokes
  • shut down/restart the computer
  • collect information about the operating system used
  • steal information from the Windows clipboard
  • send the list of disk devices and their type to a remote computer
  • send the list of files on a specific drive to a remote computer
  • various filesystem operations
  • delete files
  • delete folders
  • create folders
  • create files
  • move files
  • start/stop services
  • capture webcam video/voice
  • execute shell commands
  • show/hide application windows
  • block keyboard and mouse input
  • perform port scanning
  • open the CD/DVD drive
  • log off the current user
  • delete Registry entries
  • create Registry entries

Please enable Javascript to ensure correct displaying of this content and refresh this page.