Home / malwarePDF  

Backdoor:Win32/Cypaux.A


First posted on 27 March 2009.
Source: SecurityHome

Aliases :

There are no other names known for Backdoor:Win32/Cypaux.A.

Explanation :

Backdoor:Win32/Cypaux.A is a component of Win32/Cypaux - a multi-component family of trojans used to compromise machines and use them in various ways at the attacker's will. This could include using the affected machine to send spam, distribute malware, and proxy malicious traffic. The family consists of downloading, proxy and backdoor components. Backdoor:Win32/Cypaux.A may be used to create Gmail and MyYearBook accounts, that can be used for sending spam, links and other malicious content.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following file:
    %temp%~allinfo.txt
  • The presence of the following registry modifications:
    Sets value: "Java Syncro"
    With data: "<original execution location>"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun


    • Backdoor:Win32/Cypaux.A is a component of Win32/Cypaux - a multi-component family of trojans used to compromise machines and use them in various ways at the attacker's will. This could include using the affected machine to send spam, distribute malware, and proxy malicious traffic. The family consists of downloading, proxy and backdoor components. Backdoor:Win32/Cypaux.A may be used to create Gmail and MyYearBook accounts, that can be used for sending spam, links and other malicious content.

    Installation
    After being downloaded by TrojanDownloader:Win32/Cypaux, Backdoor:Win32/Cypaux modifies the following registry entry to ensure that its executable runs at each Windows start: Sets value: "Java Syncro"
    With data: "<original execution location>"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun

    Payload
    Backdoor Functionality
    Backdoor:Win32/Cypaux is a trojan that allows unauthorized access and control of an affected machine, Its primary purpose appears to be to create dummy accounts on popular email and social networking sites that can then be utilized by its controller. Once installed, Backdoor:Win32/Cypaux contacts IP 66.90.101.177 in order to receive commands. This backdoor can be instructed to create Gmail and MyYearBook accounts, which can the be used to send spam messages and malicious links. Messages to be sent are obtained from the remote server. Backdoor:Win32/Cypaux randomly generates characteristics for fake profiles using information obtained from the temp file %temp%~allinfo.txt. At the time of writing, only female profiles were being created, using various pictures. Modifies System Security Settings
    Backdoor:Win32/Cypaux make the following registry modification to add itself to the Windows Firewall Authorized Applications list: Sets value: "<original execution location>"
    With data: "<original execution filename>:*:enabled:windows time synchronization"
    To subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsListAdditional InformationWin32/Cypaux may create the following temporary files in the %temp% directory for its own use:
  • ~allinfo.txt
    • For more information on the Win32/Cypaux family of malware please see the Win32/Cypaux description elsewhere in the encyclopedia.

    Analysis by Matt McCormack

    Last update 27 March 2009

     

    TOP

    Malware :

    Family: