TROJ_YUMY.AI
Windows 2000, XP, Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan executes then deletes itself afterward.
It lowers the security setting of Internet Explorer.
TECHNICAL DETAILS
Installation
This Trojan drops the following copies of itself into the affected system and executes them:
- %Application Data%\{Random Folder}\{Random File Name}.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)
It drops the following non-malicious file:
- %Application Data%\{Random Folder 2}\{Random File Name}.{Rnd}
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)
It executes then deletes itself afterward.
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{6D28A461-0014-C635-1588-762C8F7E3B1C} = %Application Data%\Amilh\{Random File Name}.exe
Other System Modifications
This Trojan adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Privacy
CleanCookies = 0
Web Browser Home Page and Search Page Modification
This Trojan lowers the security setting of Internet Explorer.
Download Routine
This Trojan connects to the following URL(s) to download its configuration file:
- http://{BLOCKED}ooqu.ru/bin/koethood.bin