TROJ_YUMY.AI

 Analysis by: Michael Cabel

 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan executes then deletes itself afterward.

It lowers the security setting of Internet Explorer.

  TECHNICAL DETAILS

File Size:

166,400 bytes

File Type:

PE

Memory Resident:

Yes

Initial Samples Received Date:

03 Aug 2010

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

  • %Application Data%\{Random Folder}\{Random File Name}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It drops the following non-malicious file:

  • %Application Data%\{Random Folder 2}\{Random File Name}.{Rnd}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It executes then deletes itself afterward.

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{6D28A461-0014-C635-1588-762C8F7E3B1C} = %Application Data%\Amilh\{Random File Name}.exe

Other System Modifications

This Trojan adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Privacy
CleanCookies = 0

Web Browser Home Page and Search Page Modification

This Trojan lowers the security setting of Internet Explorer.

Download Routine

This Trojan connects to the following URL(s) to download its configuration file:

  • http://{BLOCKED}ooqu.ru/bin/koethood.bin