Home / malware Backdoor.Wecoym
First posted on 17 June 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Wecoym.
Explanation :
When executed, the Trojan copies itself to the following location: %UserProfile%\Application Data\Roaming\##[RANDOM CHARACTERS]\##[RANDOM CHARACTERS].exe
The Trojan then creates the following registry entry so that it runs every time Windows starts:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"##[RANDOM CHARACTERS].exe" = "%UserProfile%\Application Data\Roaming\##[RANDOM CHARACTERS]\##[RANDOM CHARACTERS].exe"
Next, the Trojan injects itself into the following processes:winlogon.exeexplorer.exe
The Trojan then creates the following mutex: _5pecjkjklt_
Next, the Trojan connects to the following remote locations: [http://]api.wipmania.com[REMOVED][http://]ipinfo.io/cou[REMOVED]
The Trojan also connects to the following remote location through TCP port 8586: nspr.cat
The Trojan may then perform the following actions: Delete filesDownload and execute filesLog keystrokesSteal sensitive dataModify system settingsExecute/end specific programsUpdate itselfOpen web page-like ad-click componentSpoof DNS Redirect network trafficBlock user connectionStop or remove itselfShow system informationLast update 17 June 2015
