Win32/Yebot [Threat Name] go to Threat

Win32/Yebot.AB [Threat Variant Name]

Category	trojan
Size	302080 B
Aliases	Trojan.Win32.Genome.akrim (Kaspersky)
	Backdoor:Win32/Yebot.A (Microsoft)

Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.

Installation

The trojan does not create any copies of itself.

The trojan modifies the following file:

%windir%\System32\ActionQueue.dll

Malicious code is executed every time an infected DLL is loaded.

The trojan launches the following processes:

%windir%\System32\sysprep\sysprep.exe

The trojan creates and runs a new thread with its own program code in all running processes except the following:

audiodg.exe
calc.exe
cmd.exe
conhost.exe
consent.exe
csc.exe
drvinst.exe
java.exe
javaw.exe
jusched.exe
lsm.exe
mobsync.exe
mscorsvw.exe
msiexec.exe
ngen.exe
ping.exe
sdiagnhost.exe
searchfilterhost.exe
searchindexer.exe
searchprotocolhost.exe
services.exe
skype.exe
smss.exe
spoolsu.exe
sppsvc.exe
sysprep.exe
taskeng.exe
taskmgr.exe
trustedinstaller.exe
update.exe
verclsid.exe
vssvc.exe
werfault.exe
wermgr.exe
wininit.exe
winlogon.exe
wmiprvse.exe
wmplayer.exe
wuauclt.exe

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "AllowMultipleTSSessions" = 1
- "AutoAdminLogon" = "1"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
- "fDenyTSConnections" = 0
- "fEnableSalem" = 0
- "AllowTSConnections" = 1
- "AllowRemoteRPC" = 1
- "fSingleSessionPerUser" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
- "MaxInstanceCount" = 4294967295
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core]
- "EnableConcurrentSessions" = 1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "EnableHttp1_1" = 1
- "ProxyHttp1.1" = 1
- "WarnOnPost" = 0
- "WarnOnPostRedirect" = 0
- "WarnOnIntranet" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter]
- "EnabledV8" = 0
- "ShownServiceDownBalloon" = 0
- "ClearBrowsingHistoryOnExit" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1409" = 3
- "1609" = 0
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1409" = 3
- "1609" = 0
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
- "1409" = 3
- "1609" = 0
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1409" = 3
- "1609" = 0
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
- "1409" = 3
- "1609" = 0
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1]
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2]
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3]
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4]
- "1406" = 0

The trojan modifies the following file:

prefs.js

The trojan writes the following entries to the file:

user_pref(browser.safebrowsing.enabled, false);
user_pref(browser.safebrowsing.malware.enabled, false);
user_pref(security.warn_entering_weak, false);
user_pref(security.warn_entering_weak.show_once, false);
user_pref(security.warn_viewing_mixed, false);
user_pref(security.warn_viewing_mixed.show_once, false);
user_pref(privacy.clearOnShutdown.cookies, false);
user_pref(privacy.clearOnShutdown.sessions, false);
user_pref(network.http.spdy.enabled, false);

The trojan can modify the following file:

%windir%\System32\drivers\etc\hosts

Information stealing

Win32/Yebot.AB is a trojan that steals sensitive information.

The trojan collects the following information:

operating system version
current screen resolution
memory status
the path to specific folders
computer name
default Internet browser
computer IP address
language settings

The trojan collects information used to access certain sites.

The trojan can send the information to a remote machine.

Other information

The trojan serves as a backdoor. It can be controlled remotely.

The trojan acquires data and commands from a remote computer or the Internet. The HTTP protocol is used.

It can execute the following operations:

modify network traffic
create Registry entries
redirect network traffic
modify website content
download files from a remote computer and/or the Internet
run executable files
capture screenshots
log keystrokes
shut down/restart the computer
log off the current user
open a specific URL address

The trojan opens TCP port 8000 . A proxy is listening there.

The trojan keeps various information in the following Registry key:

[HKEY_USERS\Registry\User\%user%\SOFTWARE\Classes\CLSID\{%variable%}

A string with variable content is used instead of %variable% .

The trojan may attempt to delete all files on the local drives.

The trojan may cause the operating system to crash.

The trojan hooks the following Windows APIs:

BaseSetProcessCreateNotify (basesrv.dll)
CreateFileW (kernel32.dll)
HttpOpenRequestA (wininet.dll)
HttpQueryInfoA (wininet.dll)
HttpSendRequestA (wininet.dll)
HttpSendRequestW (wininet.dll)
InternetCloseHandle (wininet.dll)
InternetQueryDataAvailable (wininet.dll)
InternetReadFile (wininet.dll)
InternetReadFileExA (wininet.dll)
InternetWriteFile (wininet.dll)
MessageBoxTimeoutW (user32.dll)
NtClose (ntdll.dll)
NtReadFile (ntdll.dll)
PR_Close (nspr4.dll)
PR_OpenTCPSocket (nspr4.dll)
PR_Read (nspr4.dll)
PR_Write (nspr4.dll)
RegisterServiceCtrlHandlerW (advapi32.dll)
RegisterServiceCtrlHandlerW (sechost.dll)
RtlFreeHeap (ntdll.dll)
TranslateMessage (user32.dll)
ZwResumeThread (ntdll.dll)
ZwSetValueKey (ntdll.dll)