Win32/Seleya [Threat Name] go to Threat

Win32/Seleya.A [Threat Variant Name]

Category trojan
Size 133288 B
Detection created Apr 15, 2011
Detection database version 10997
Aliases Trojan-Spy.Win32.Zbot.rcry (Kaspersky)
  VirTool:Win32/Injector.CI (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­nightupdate\­svchost.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "UpdateSvchost" = "%appdata%\­nightupdate\­svchost.exe"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "UpdateSvchost" = "%appdata%\­nightupdate\­svchost.exe:*:Enabled:svchost"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet002\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "UpdateSvchost" = "%appdata%\­nightupdate\­svchost.exe:*:Enabled:svchost"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "UpdateSvchost" = "%appdata%\­nightupdate\­svchost.exe:*:Enabled:svchost"

The performed data entry creates an exception in the Windows Firewall program.


After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used in the communication.


It can execute the following operations:

  • perform DoS/DDoS attacks
  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version

The trojan may perform HTTP GET, HTTP POST, Slowloris, TCP SYN, TCP, UDP, ICMP PING attacks.

Please enable Javascript to ensure correct displaying of this content and refresh this page.