Home / malwarePDF  

Backdoor:Win32/Fynloski.R


First posted on 07 July 2015.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Fynloski.R.

Explanation :

Threat behavior

Installation
This threat can create files on your PC, including:

  • \system.pif
  • %APPDATA% \roaming\installdir\help.exe
  • \anonymous - copia.png
  • \blackcircle@2x.png
  • \system.pif
  • \x.exe
  • %USERPROFILE% \documents\dcscmin\imdcsc.exe


It modifies the registry so that it runs each time you start your PC. For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "DarkComet RAT"
With data: "%USERPROFILE%\documents\dcscmin\imdcsc.exe" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "help"
With data: "%USERPROFILE%\appdata\roaming\installdir\help.exe"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "UserInit"
With data: "\userinit.exe,c:\users\administrator\documents\dcscmin\imdcsc.exe"
The malware uses code injection to make it harder to detect and remove. It can inject code into running processes.

Payload


Allows backdoor access and control

This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, such as:

  • Deleting files
  • Downloading and running files
  • Logging your keystrokes or stealing your sensitive data
  • Modifying your system settings
  • Running or stopping applications
  • Spreading malware to other PCs
  • Uploading files


Connects to a remote host

We have seen this threat connect to a remote host, including:
  • networksecurityx.hopto.org using port 80
  • b.config.skype.com using port 53
Malware can connect to a remote host to do any of the following:
  • Check for an Internet connection
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC location
  • Upload information taken from your PC
  • Validate a digital certificate


This malware description was published using automated analysis of file SHA1 32a6d7777b6bbcc9d9ff05d36291a88732dc7948.

Symptoms

The following can indicate that you have this threat on your PC:

  • You see a file similar to:
    • \system.pif
    • %APPDATA% \roaming\installdir\help.exe
    • \anonymous - copia.png
    • \blackcircle@2x.png
    • \system.pif
    • \x.exe
    • %USERPROFILE% \documents\dcscmin\imdcsc.exe

  • You see registry modifications such as:
    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: "DarkComet RAT"
      With data: "%USERPROFILE%\documents\dcscmin\imdcsc.exe"

    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: "help"
      With data: "%USERPROFILE%\appdata\roaming\installdir\help.exe"

    • In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
      Sets value: "UserInit"
      With data: "\userinit.exe,c:\users\administrator\documents\dcscmin\imdcsc.exe"

Last update 07 July 2015

 

TOP

Malware :

Family: