Win32/Yebot [Threat Name] go to Threat

Win32/Yebot.AC [Threat Variant Name]

Category trojan
Size 175616 B
Detection created Oct 08, 2013
Detection database version 8892
Aliases Win32:Rustock-AY (AVG)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.

Installation

The trojan does not create any copies of itself.


The trojan may create the following files:

  • %userprofile%\­%variable1%.exe

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = "%userprofile%\­%variable1%.exe"

This causes the trojan to be executed on every system start.


The trojan modifies the following file:

  • %windir%\­System32\­ActionQueue.dll

Malicious code is executed every time an infected DLL is loaded.


The trojan creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • csrss.exe
  • firefox.exe
  • iexplore.exe
  • java.exe
  • jusched.exe
  • lsass.exe
  • opera.exe
  • safari.exe
  • svchost.exe

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0
    • "ConsentPromptBehaviorAdmin" = 5
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "AllowMultipleTSSessions" = 1
    • "AutoAdminLogon" = "1"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Terminal Server]
    • "fDenyTSConnections" = 0
    • "fEnableSalem" = 0
    • "AllowTSConnections" = 1
    • "AllowRemoteRPC" = 1
    • "fSingleSessionPerUser" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Terminal Server\­WinStations\­RDP-Tcp]
    • "MaxInstanceCount" = 4294967295
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Terminal Server\­Licensing Core]
    • "EnableConcurrentSessions" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "NoProtectedModeBanner" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­0]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­1]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­2]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­3]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­4]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­MedLow]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Medium]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Low]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­AppEvents\­Schemes\­Apps\­Explorer\­Navigating\­.Current]
    • "(Default)" = "."
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­SpecialAccounts\­UserList\­%variable2%]

The following services are disabled:

  • MsMpSvc
  • WinDefend

A string with variable content is used instead of %variable1-2% .

Information stealing

Win32/Yebot.AC is a trojan that steals sensitive information.


The trojan collects information used to access certain sites.


The following programs are affected:

  • Internet Explorer
  • Mozilla Firefox

The trojan can send the information to a remote machine.

Other information

The trojan serves as a backdoor. It can be controlled remotely.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used.


It can execute the following operations:

  • create Registry entries
  • download files from a remote computer and/or the Internet
  • run executable files
  • capture screenshots
  • log keystrokes
  • shut down/restart the computer
  • log off the current user
  • send the list of running processes to a remote computer
  • send requested files

The trojan opens TCP port 8000 . A proxy is listening there.


The trojan keeps various information in the following Registry key:

  • [HKEY_USERS\­Registry\­User\­%user%\­SOFTWARE\­Classes\­CLSID\­{%variable%}

A string with variable content is used instead of %variable% .


The trojan may attempt to delete all files on the local drives.


The trojan may cause the operating system to crash.


The trojan hooks the following Windows APIs:

  • BaseSetProcessCreateNotify (basesrv.dll)
  • CreateProcessInternalW (kernel32.dll)
  • CreateProcessInternalW (kernel32.dll)
  • ExitWindowsEx (user32.dll)
  • HttpQueryInfoA (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetQueryOptionA (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetReadFileExW (wininet.dll)
  • InternetSetStatusCallback (wininet.dll)
  • MessageBoxTimeoutW (user32.dll)
  • PR_Poll (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)
  • RegisterServiceCtrlHandlerW (advapi32.dll)
  • RegisterServiceCtrlHandlerW (sechost.dll)
  • TranslateMessage (user32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.