Win32/Yebot [Threat Name] go to Threat
Win32/Yebot.AC [Threat Variant Name]
| Category | trojan |
| Size | 175616 B |
| Aliases | Win32:Rustock-AY (AVG) |
Short description
The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.
Installation
The trojan does not create any copies of itself.
The trojan may create the following files:
- %userprofile%\%variable1%.exe
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable1%" = "%userprofile%\%variable1%.exe"
This causes the trojan to be executed on every system start.
The trojan modifies the following file:
- %windir%\System32\ActionQueue.dll
Malicious code is executed every time an infected DLL is loaded.
The trojan creates and runs a new thread with its own program code within the following processes:
- chrome.exe
- csrss.exe
- firefox.exe
- iexplore.exe
- java.exe
- jusched.exe
- lsass.exe
- opera.exe
- safari.exe
- svchost.exe
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "EnableLUA" = 0
- "ConsentPromptBehaviorAdmin" = 5
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "AllowMultipleTSSessions" = 1
- "AutoAdminLogon" = "1"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
- "fDenyTSConnections" = 0
- "fEnableSalem" = 0
- "AllowTSConnections" = 1
- "AllowRemoteRPC" = 1
- "fSingleSessionPerUser" = 0
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
- "MaxInstanceCount" = 4294967295
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core]
- "EnableConcurrentSessions" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- "NoProtectedModeBanner" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1208" = 0
- "1406" = 0
- "1609" = 0
- "2103" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1208" = 0
- "1406" = 0
- "1609" = 0
- "2103" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
- "1208" = 0
- "1406" = 0
- "1609" = 0
- "2103" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1208" = 0
- "1406" = 0
- "1609" = 0
- "2103" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
- "1208" = 0
- "1406" = 0
- "1609" = 0
- "2103" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0]
- "1208" = 0
- "1406" = 0
- "1609" = 0
- "2103" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1]
- "1208" = 0
- "1406" = 0
- "1609" = 0
- "2103" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2]
- "1208" = 0
- "1406" = 0
- "1609" = 0
- "2103" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3]
- "1208" = 0
- "1406" = 0
- "1609" = 0
- "2103" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4]
- "1208" = 0
- "1406" = 0
- "1609" = 0
- "2103" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones]
- "1208" = 0
- "1406" = 0
- "1609" = 0
- "2103" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MedLow]
- "1208" = 0
- "1406" = 0
- "1609" = 0
- "2103" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Medium]
- "1208" = 0
- "1406" = 0
- "1609" = 0
- "2103" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Low]
- "1208" = 0
- "1406" = 0
- "1609" = 0
- "2103" = 0
- "2500" = 3
- [HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]
- "(Default)" = "."
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\%variable2%]
The following services are disabled:
- MsMpSvc
- WinDefend
A string with variable content is used instead of %variable1-2% .
Information stealing
Win32/Yebot.AC is a trojan that steals sensitive information.
The trojan collects information used to access certain sites.
The following programs are affected:
- Internet Explorer
- Mozilla Firefox
The trojan can send the information to a remote machine.
Other information
The trojan serves as a backdoor. It can be controlled remotely.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (3) URLs. The HTTP protocol is used.
It can execute the following operations:
- create Registry entries
- download files from a remote computer and/or the Internet
- run executable files
- capture screenshots
- log keystrokes
- shut down/restart the computer
- log off the current user
- send the list of running processes to a remote computer
- send requested files
The trojan opens TCP port 8000 . A proxy is listening there.
The trojan keeps various information in the following Registry key:
- [HKEY_USERS\Registry\User\%user%\SOFTWARE\Classes\CLSID\{%variable%}
A string with variable content is used instead of %variable% .
The trojan may attempt to delete all files on the local drives.
The trojan may cause the operating system to crash.
The trojan hooks the following Windows APIs:
- BaseSetProcessCreateNotify (basesrv.dll)
- CreateProcessInternalW (kernel32.dll)
- CreateProcessInternalW (kernel32.dll)
- ExitWindowsEx (user32.dll)
- HttpQueryInfoA (wininet.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestW (wininet.dll)
- InternetCloseHandle (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- InternetQueryOptionA (wininet.dll)
- InternetReadFile (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetReadFileExW (wininet.dll)
- InternetSetStatusCallback (wininet.dll)
- MessageBoxTimeoutW (user32.dll)
- PR_Poll (nspr4.dll)
- PR_Read (nspr4.dll)
- PR_Write (nspr4.dll)
- RegisterServiceCtrlHandlerW (advapi32.dll)
- RegisterServiceCtrlHandlerW (sechost.dll)
- TranslateMessage (user32.dll)