Backdoor.Win32.Agent.bhyr – Trojan provides a remote malicious user with access to the infected computer.
Technical details
Trojan provides a remote malicious user with access to the infected computer. The program itself is a Windows (PE-EXE file). Has a size of 107,170 bytes. Written in C + +.
Destructive activity
When you run the backdoor retrieves file from its body and saves it under the following name:
% SystemDrive% \ Documents and Settings \ Local User \ lss.dal
This file is 17916481 bytes detected by Kaspersky Antivirus as Backdoor.Win32.Agent.bhyr.
Next backdoor creates a service called «360svc» (service display name «Serial Number Service»), and creates the following registry keys:
[HKLM \ System \ ControlSet001 \ Services \ 360svc] “Description” = “might not be down loaded to the device.” “IsalouentlMdl” = “% Original Filename%”
[HKLM \ System \ ControlSet001 \ Services \ 360svc \ Parameters] “ServiceDll” = “% SystemDrive% \ Documents and Settings \ Local User \ lss.dll”
Also backdoor adds the End of the values of the following registry key name string generated by a service «360svc»:
[HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ SvcHost] “netsvcs”
After this backdoor launches the service. This will launch the extracted library in the address space of the system process
«Svchost.exe»
When you run the library will:
– gets original name backdoor by reading the registry key:
[HKLM \ System \ ControlSet001 \ Services \ 360svc] “IsalouentlMdl”
– deletes the original backdoor file.
– gets access to the user’s desktop, the clipboard, the input of information.
– provides networking and exchange of information with the following host:
moyu *** cp.net
At the time of writing, the host does not respond.
creates a key in the registry:
[HKLM \ System \ CurrentControlSet \ Services \ 360svc] “Type” = “288”
The library has a functionality which allows to download to your computer files on the download link and run them, and to implement the code in the address space of another process.
When working backdoor creates a unique identifier named «YuAnk Update».
Removal
If your computer was not protected by Antivirus and is infected with this malware, then to delete the following:
Delete the original backdoor file, if it exists. Its location on the infected computer, you can set the value of reading the following registry key:
[HKLM \ System \ ControlSet001 \ Services \ 360svc] “IsalouentlMdl”
Stop a service called «Serial Number Service».
Remove the branch of the registry and all the keys in them:
[HKLM \ System \ ControlSet001 \ Services \ 360svc] [HKLM \ System \ CurrentControlSet \ Services \ 360svc]
Delete the line «360svc» from the list in the following system registry key:
[HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ SvcHost] “netsvcs”
Delete file:
% SystemDrive% \ Documents and Settings \ Local User \ lss.dll
