Malware Backdoor.Win32.Agent.bhyr

Posted: September 1, 2012 in Encyclopedia viruses
Tags:

Virus AlertBackdoor.Win32.Agent.bhyr – Trojan provides a remote malicious user with access to the infected computer.

Technical details

Trojan provides a remote malicious user with access to the infected computer. The program itself is a Windows (PE-EXE file). Has a size of 107,170 bytes. Written in C + +.

Destructive activity

When you run the backdoor retrieves file from its body and saves it under the following name:

% SystemDrive% \ Documents and Settings \ Local User \ lss.dal

This file is 17916481 bytes detected by Kaspersky Antivirus as Backdoor.Win32.Agent.bhyr.

Next backdoor creates a service called «360svc» (service display name «Serial Number Service»), and creates the following registry keys:

[HKLM \ System \ ControlSet001 \ Services \ 360svc] “Description” = “might not be down loaded to the device.” “IsalouentlMdl” = “% Original Filename%”

[HKLM \ System \ ControlSet001 \ Services \ 360svc \ Parameters] “ServiceDll” = “% SystemDrive% \ Documents and Settings \ Local User \ lss.dll”

Also backdoor adds the End of the values ​​of the following registry key name string generated by a service «360svc»:

[HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ SvcHost] “netsvcs”

After this backdoor launches the service. This will launch the extracted library in the address space of the system process

«Svchost.exe»

When you run the library will:

– gets original name backdoor by reading the registry key:

[HKLM \ System \ ControlSet001 \ Services \ 360svc] “IsalouentlMdl”

– deletes the original backdoor file.

–  gets access to the user’s desktop, the clipboard, the input of information.

– provides networking and exchange of information with the following host:

moyu *** cp.net

At the time of writing, the host does not respond.

creates a key in the registry:

[HKLM \ System \ CurrentControlSet \ Services \ 360svc] “Type” = “288”

The library has a functionality which allows to download to your computer files on the download link and run them, and to implement the code in the address space of another process.

When working backdoor creates a unique identifier named «YuAnk Update».

Removal

If your computer was not protected by Antivirus and is infected with this malware, then to delete the following:

Delete the original backdoor file, if it exists. Its location on the infected computer, you can set the value of reading the following registry key:

[HKLM \ System \ ControlSet001 \ Services \ 360svc] “IsalouentlMdl”

Stop a service called «Serial Number Service».

Remove the branch of the registry and all the keys in them:

[HKLM \ System \ ControlSet001 \ Services \ 360svc] [HKLM \ System \ CurrentControlSet \ Services \ 360svc]

Delete the line «360svc» from the list in the following system registry key:

[HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ SvcHost] “netsvcs”

Delete file:

% SystemDrive% \ Documents and Settings \ Local User \ lss.dll

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s