Win32/Agent.YJF [Threat Name] go to Threat

Win32/Agent.YJF [Threat Variant Name]

Category trojan
Size 4535808 B
Detection created Oct 10, 2016
Detection database version 14257
Aliases Backdoor:Win32/Truvasys.A!dha (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan is usually bundled within installation packages of various legitimate software.


The trojan is probably a part of other malware.


When executed, the trojan creates the following folders:

  • %temp%\­Microsoft\­
  • %temp%\­Microsoft\­IKE\­
  • %temp%\­resplgdll32\­
  • c:\­windows\­system32\­

The folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.


The trojan creates the following files:

  • c:\­windows\­system32\­dcomx32.exe (171832 B, Win32/Agent.VWB)
  • c:\­windows\­system32\­winxsys.exe (848896 B, Win32/Agent.YJF)
  • c:\­windows\­temp\­TrueCrypt-7.2.exe (2573392 B)

The files are then executed.


The trojan may create the following files:

  • %temp%\­Microsoft\­IKE\­fprot32.exe (91960 B, Win32/Agent.YJF)
  • %temp%\­resplgdll32\­mfc503vxg.lib
  • %temp%\­resplgdll32\­vId.bin (4 B)
  • %temp%\­resplgdll32\­wndrv.25.bin
  • c:\­windows\­system32\­libeay32.dll (1111040 B)
  • c:\­windows\­system32\­resdllx.dll (729587 B, Win32/Agent.YJF)
  • c:\­windows\­system32\­ssleay32.dll (276480 B)
  • c:\­Windows\­system32\­syswindxr32.dll (49 B)

The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


The trojan creates copies of the following files (source, destination):

  • %temp%\­Microsoft\­IKE\­fprot32.exe, %temp%\­resplgdll32\­fprot32.exe

The file is then executed.


The trojan attempts to delete the following files:

  • %temp%\­resplgdll32\­olesys32.dll
  • %temp%\­resplgdll32\­mvhost32.dll
  • %temp%\­resplgdll32\­sdwin32.dll
  • %temp%\­resplgdll32\­ofx64.dll
  • %temp%\­Microsoft\­IKE\­ofx64.dll

The trojan registers itself as a system service using the following name:

  • Windows Index Services

This causes the trojan to be executed on every system start.


The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows Defender\­Spynet]
    • "SpyNetReporting" = 0

The following Registry entry is deleted:

  • [HKEY_CLASSES_ROOT\­CLSID\­{FD6905CE-952F-41F1-9A6F-135D9C6622CC}]
Information stealing

Win32/Agent.YJF is a trojan that steals sensitive information.


The following information is collected:

  • volume serial number
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The TCP, UDP protocol is used in the communication.


The trojan may perform DoS attacks.


The trojan tries to read following files:

  • %temp%\­resplgdll32\­mntpoint.25.bin

The file is then decrypted and executed.


The trojan executes the following command:

  • taskkill /F /T /IM ping.exe

The trojan executes the following files:

  • %temp%\­resplgdll32\­alg32.exe -C
  • %temp%\­resplgdll32\­hxdef32.exe -C
  • %temp%\­resplgdll32\­hxsys32.exe -C
  • %temp%\­resplgdll32\­procstate.exe -C
  • %temp%\­resplgdll32\­snmp32.exe -C
  • %temp%\­resplgdll32\­splman32.exe -C
  • %temp%\­resplgdll32\­vmnat32.exe -C
  • %temp%\­resplgdll32\­winasys32.exe -C
  • %temp%\­resplgdll32\­wmsrv32.exe -C

Please enable Javascript to ensure correct displaying of this content and refresh this page.