TSPY_DYRE.YUYCD

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following files:

• %System%\config\systemprofile\Application Data\{random}.dll (for Windows XP and lower)
• %AppDataLocal%\{random}.dll (for Windows Vista and higher)

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

• %Windows%\{random}.exe (for Windows XP and lower)
• %AppDataLocal%\{random}.exe (for Windows Vista and higher)

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This spyware registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\googleupdate
DisplayName = "Google Update Service" (for Windows XP or lower)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\googleupdate
ImagePath = {hex value of %Windows%\{random}.exe} (for Windows XP or lower

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
GoogleUpdate = "%AppDataLocal%\{random.exe}" (for Windows Vista and higher)

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\googleupdate (for Windows XP or lower)

Other Details

This spyware connects to the following possibly malicious URL:

• http://{BLOCKED}cher.drollette.com/netdb/
• http://{BLOCKED}db.innovatio.no/
• http://{BLOCKED}p.mooo.com/netDb/
• http://{BLOCKED}opo.mooo.com/
• http://{BLOCKED}b.i2p2.no/
• http://{BLOCKED}d.i2p-projekt.de/
• http://{BLOCKED}d.info/
• http://{BLOCKED}d.pkol.de/
• http://{BLOCKED}k.reseed.i2p2.no/
• http://{BLOCKED}s.reseed.i2p2.no/
• https://{BLOCKED}cher.drollette.com/netdb/
• https://{BLOCKED}db.innovatio.no/
• https://{BLOCKED}p.mooo.com/netDb/
• https://{BLOCKED}d.zarrenspry.info/
• https://{BLOCKED}ipo.mooo.com/
• https://{BLOCKED}k.mx24.eu/
• https://{BLOCKED}b.i2p2.no/
• https://{BLOCKED}b.rows.io:444/
• https://{BLOCKED}d.i2p-projekt.de/
• https://{BLOCKED}d.info/
• https://{BLOCKED}l.webpack.de/ivae2he9.sg4.e-plaza.de/
• https://{BLOCKED}k.reseed.i2p2.no:444/
• https://{BLOCKED}s.reseed.i2p2.no:444/
• {BLOCKED}.{BLOCKED}.123.70
• {BLOCKED}.{BLOCKED}.70.41

It deletes the initially executed copy of itself