Win32/Yebot [Threat Name] go to Threat

Win32/Yebot.AB [Threat Variant Name]

Category trojan
Size 302080 B
Detection created Jan 18, 2013
Detection database version 7906
Aliases Trojan.Win32.Genome.akrim (Kaspersky)
  Backdoor:Win32/Yebot.A (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.

Installation

The trojan does not create any copies of itself.


The trojan modifies the following file:

  • %windir%\­System32\­ActionQueue.dll

Malicious code is executed every time an infected DLL is loaded.


The trojan launches the following processes:

  • %windir%\­System32\­sysprep\­sysprep.exe

The trojan creates and runs a new thread with its own program code in all running processes except the following:

  • audiodg.exe
  • calc.exe
  • cmd.exe
  • conhost.exe
  • consent.exe
  • csc.exe
  • drvinst.exe
  • java.exe
  • javaw.exe
  • jusched.exe
  • lsm.exe
  • mobsync.exe
  • mscorsvw.exe
  • msiexec.exe
  • ngen.exe
  • ping.exe
  • sdiagnhost.exe
  • searchfilterhost.exe
  • searchindexer.exe
  • searchprotocolhost.exe
  • services.exe
  • skype.exe
  • smss.exe
  • spoolsu.exe
  • sppsvc.exe
  • sysprep.exe
  • taskeng.exe
  • taskmgr.exe
  • trustedinstaller.exe
  • update.exe
  • verclsid.exe
  • vssvc.exe
  • werfault.exe
  • wermgr.exe
  • wininit.exe
  • winlogon.exe
  • wmiprvse.exe
  • wmplayer.exe
  • wuauclt.exe

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "AllowMultipleTSSessions" = 1
    • "AutoAdminLogon" = "1"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Terminal Server]
    • "fDenyTSConnections" = 0
    • "fEnableSalem" = 0
    • "AllowTSConnections" = 1
    • "AllowRemoteRPC" = 1
    • "fSingleSessionPerUser" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Terminal Server\­WinStations\­RDP-Tcp]
    • "MaxInstanceCount" = 4294967295
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Terminal Server\­Licensing Core]
    • "EnableConcurrentSessions" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "EnableHttp1_1" = 1
    • "ProxyHttp1.1" = 1
    • "WarnOnPost" = 0
    • "WarnOnPostRedirect" = 0
    • "WarnOnIntranet" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­PhishingFilter]
    • "EnabledV8" = 0
    • "ShownServiceDownBalloon" = 0
    • "ClearBrowsingHistoryOnExit" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1409" = 3
    • "1609" = 0
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1409" = 3
    • "1609" = 0
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1409" = 3
    • "1609" = 0
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1409" = 3
    • "1609" = 0
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "1409" = 3
    • "1609" = 0
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­1]
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­2]
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­3]
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­4]
    • "1406" = 0

The trojan modifies the following file:

  • prefs.js

The trojan writes the following entries to the file:

  • user_pref(browser.safebrowsing.enabled, false);
  • user_pref(browser.safebrowsing.malware.enabled, false);
  • user_pref(security.warn_entering_weak, false);
  • user_pref(security.warn_entering_weak.show_once, false);
  • user_pref(security.warn_viewing_mixed, false);
  • user_pref(security.warn_viewing_mixed.show_once, false);
  • user_pref(privacy.clearOnShutdown.cookies, false);
  • user_pref(privacy.clearOnShutdown.sessions, false);
  • user_pref(network.http.spdy.enabled, false);

The trojan can modify the following file:

  • %windir%\­System32\­drivers\­etc\­hosts
Information stealing

Win32/Yebot.AB is a trojan that steals sensitive information.


The trojan collects the following information:

  • operating system version
  • current screen resolution
  • memory status
  • the path to specific folders
  • computer name
  • default Internet browser
  • computer IP address
  • language settings

The trojan collects information used to access certain sites.


The trojan can send the information to a remote machine.

Other information

The trojan serves as a backdoor. It can be controlled remotely.


The trojan acquires data and commands from a remote computer or the Internet. The HTTP protocol is used.


It can execute the following operations:

  • modify network traffic
  • create Registry entries
  • redirect network traffic
  • modify website content
  • download files from a remote computer and/or the Internet
  • run executable files
  • capture screenshots
  • log keystrokes
  • shut down/restart the computer
  • log off the current user
  • open a specific URL address

The trojan opens TCP port 8000 . A proxy is listening there.


The trojan keeps various information in the following Registry key:

  • [HKEY_USERS\­Registry\­User\­%user%\­SOFTWARE\­Classes\­CLSID\­{%variable%}

A string with variable content is used instead of %variable% .


The trojan may attempt to delete all files on the local drives.


The trojan may cause the operating system to crash.


The trojan hooks the following Windows APIs:

  • BaseSetProcessCreateNotify (basesrv.dll)
  • CreateFileW (kernel32.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetWriteFile (wininet.dll)
  • MessageBoxTimeoutW (user32.dll)
  • NtClose (ntdll.dll)
  • NtReadFile (ntdll.dll)
  • PR_Close (nspr4.dll)
  • PR_OpenTCPSocket (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)
  • RegisterServiceCtrlHandlerW (advapi32.dll)
  • RegisterServiceCtrlHandlerW (sechost.dll)
  • RtlFreeHeap (ntdll.dll)
  • TranslateMessage (user32.dll)
  • ZwResumeThread (ntdll.dll)
  • ZwSetValueKey (ntdll.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.