Win32/Sopinar [Threat Name] go to Threat

Win32/Sopinar.A [Threat Variant Name]

Category trojan
Size 114688 B
Aliases Trojan.Win32.Yakes.kvac (Kaspersky)
  Trojan:Win32/Sopinar.B (Microsoft)
  TR/Sopinar.114688 (Avira)
Short description

Win32/Sopinar.A is a trojan which tries to download other malware from the Internet. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­%variable%.exe

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "%system%\­%variable%.exe /shell"

After the installation is complete, the trojan deletes the original executable file.


The trojan quits immediately if any of the following applications is detected:

  • Sandboxie

The trojan creates and runs a new thread with its own program code within the following processes:

  • avant.exe
  • chrome.exe
  • dragon.exe
  • epic.exe
  • explorer.exe
  • firef.exe
  • firefox.exe
  • iexplore.exe
  • iron.exe
  • lsass.exe
  • maxthon.exe
  • mozilla.exe
  • msimn.exe
  • msmsgs.exe
  • myie.exe
  • navigator.exe
  • opera.exe
  • outlook.exe
  • safari.exe
  • seamonkey.exeservices.exe
  • thebat.exe
  • thunderbird.exe
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • create Registry entries
  • shut down/restart the computer
  • uninstall itself

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­binaryImage%variable%]
  • [HKEY_LOCAL_MACHINE\­Software\­binaryImage%variable%]
  • [HKEY_USERS\­.DEFAULT\­Software\­binaryImage%variable%]
  • [HKEY_USERS\­S-1-5-18\­Software\­binaryImage%variable%]
  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­binaryImage%variable%]
  • [HKEY_LOCAL_MACHINE\­Software\­AppDataLow\­binaryImage%variable%]
  • [HKEY_USERS\­.DEFAULT\­Software\­AppDataLow\­binaryImage%variable%]
  • [HKEY_USERS\­S-1-5-18\­Software\­AppDataLow\­binaryImage%variable%]
  • [HKEY_CURRENT_USER\­Software\­xsw]

A string with variable content is used instead of %variable% .


The trojan may delete files stored in the following folders:

  • %userprofile%\­AppData\­Local\­Google\­Chrome\­User Data\­Default\­Cache\­
  • %userprofile%\­AppData\­Local\­Google\­Chrome\­
  • %userprofile%\­Local Settings\­Application Data\­Google\­Chrome\­

Please enable Javascript to ensure correct displaying of this content and refresh this page.