Manual descriptionAuto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.
Manual descriptionAuto description
This is a description which has been automatically generated following analysis of this program on a test machine. This description may contain incomplete or inaccurate information.
Technical Details Payload Removal instructions
Technical Details
A trojan program designed to steal the user's authentication data. It is a Windows application (PE-EXE file). 6144 bytes. UPX packed. Unpacked size – around 12 kB. Written in C++.
Payload
After launching, the trojan checks for the following branch in the system registry:
If the branch is missing, it performs the following actions:
the body of the trojan is copied to the current user's temporary file directory:
%Temp%\Procmon.exe
The copy created is launched with the "loop" parameter.
When launching with the "loop" parameter, the trojan completes the processes with the "duospeak" substring in the names of their executable files. It then creates and launches the shell script "c:\test.bat" with the following content:
:try
del "<full path to the original trojan file>""
if exist "<full path to the original trojan file>" goto try
del %0
which results in the deletion of the original trojan file after it shuts down. The script is also deleted.
If this system registry branch is found, the trojan carries out the following actions:
This key saves the string containing the path to a DLL file.
It deletes the following file:
<Path>\YYCtrl.dll
The <Path> is made up of the previously read strings by deleting the last 14 symbols.
It retrieves the following file from its body:
<Path>\YYCtrl.dll
(4608 bytes; detected by Kaspersky Antivirus as "Trojan.Win32.Agent2.dmuw")
The file is created with the "hidden" attribute.
It modifies the library
<Path>\msvcr71.dll
writing the previously extracted library into the code loaded for a particular process. The malicious library "YYCtrl.dll" is therefore entered into the address space for all of the loaded "msvcr71.dll" processes.
It creates and runs the previously described "c:\test.bat" script, and then shuts down.
Having loaded the "duospeak.exe" process into the address space, the "YYCtrl.dll" library allows for the information entered by the user in the following window classes to be tracked:
YYMainWnd
YYLogin
Edit
The data collected is sent to the server in HTTP-requests:
124.***.56.12
121.***.13.22
Removal instructions
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
Using Task Manager, end the "duospeak.exe" process.
Delete the following files:
%Temp%\Procmon.exe
<Path>\YYCtrl.dll
Restore the original file contents:
<Path>\msvcr71.dll
Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).
Makes copies of itself with the following names once launched:
Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\Procmon.exe
Malicious activity
Creates the following files:
c:\test.bat
Launches files shown below for execution:
c:\test.bat
Other activities
Runs the following files (commands):
Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\Procmon.exe
НОВОЕ НА САЙТЕ
17 апреля 2024 года
В 2023 году самыми всераспространенными Android-угрозами стали троянские программы, демонстрирующие рекламу. Шпионские троянские приложения по уподоблению с прошлым годом понизили свою энергичность таково словно стали вторыми по числу детектирований на защищаемых антивирусом Dr.Web устройствах. невзирая на то, словн... Вирусные новости
11 апреля 2024 года
Компания «Доктор Веб» 4 апреля сообщила о выпуске обновления для продуктов линейки Dr.Web Enterprise Security Suite, сертифицированных ФСТЭК России.
Компания «Доктор Веб» информирует о выпуске обновления Dr.Web Desktop Security Suite (для Windows), Dr.Web Server Security Suite (для Windows), Dr.Web Mail Security Suite (для MS Exchange) так как Агента Dr.Web для Windows в составе сертифицированного ФСТЭК нашей родины Dr.Web Enterprise Security Suite (сертификат соответствия №3509). В рамках ... Антивирус Dr.Web
1 апреля 2024 года
Согласно этим статистики детектирований Dr.Web для мобильных механизмов Android, в феврале 2024 лета несравнимо возросла энергичность маркетинговых троянских программ из семейства Android.HiddenAdsВирусные новости
1 апреля 2024 года
Анализ статистики детектирований антивируса Dr.Web в феврале 2024 лета отобразил рост общего числа найденных опасностей на 1,26% по уподоблению с январем. При данном количество удивительных опасностей снизилось на 0,78%. фаворитные позиции по численности детектирований снова заняли всевозможные маркетинговые... Вирусные новости