Home / malware Trojan.Tsyrval.B
First posted on 10 February 2016.
Source: SymantecAliases :
There are no other names known for Trojan.Tsyrval.B.
Explanation :
When the Trojan is executed, it creates the following files: %AppData%\Intel\dtl.dat%AppData%\Intel\glp.uin%AppData%\Intel\hccutils.dll%AppData%\Intel\hccutils.inf%AppData%\Intel\hjwe.dat%AppData%\Intel\igfxtray.exe%AppData%\Intel\qhnj.dat%AppData%\Intel\QQMgr.dll%AppData%\Intel\QQMgr.inf%AppData%\Intel\ResN32.dat%AppData%\Intel\ResN32.dll%AppData%\Intel\tyeu.dat%AppData%\Intel\vnkd.datNext, the Trojan creates the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Eupdate" = ""c:\windows\system32\rundll32.exe" "%AppData%\Intel\ResN32.dll" Run"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"update" = ""c:\windows\system32\rundll32.exe" "%AppData%\Intel\ResN32.dll" Run"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = "%AppData%\Intel\ResN32.dll"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\"LoadAppInit_DLLs" = "1"
The Trojan then creates the following mutexes: Global\\{A59CF429-D0DD-4207-88A1-04090680F714}{CE2100CF-3418-4f9a-9D5D-CC7B58C5AC62}Global\\{6BB1120C-16E9-4c91-96D5-04B42D1611B4}
The Trojan then opens a back door and connects to the following remote location: 198.55.120.143:8080
Next, the Trojan gathers the following system information: Installed security softwareOS build number and architectureOS language IDUser nameIP addressMAC address
The Trojan may then perform the following actions: Execute commandsMonitor and record Skype text, audio, and video messages Capture screenshots
The Trojan may also access removable drives and gather files with the following extensions: .doc.docx.ppt.pptx.xls.xlsxLast update 10 February 2016
