Home / malware Backdoor:Win32/Wkysol.C
First posted on 07 January 2012.
Source: MicrosoftAliases :
Backdoor:Win32/Wkysol.C is also known as Trojan.Inject.55767 (Dr.Web), Backdoor.Win32.Sykipot.bv (Kaspersky), BackDoor-FDE (McAfee), Backdoor.Sykipot (Symantec), TROJ_SPNR.11JS11 (Trend Micro).
Explanation :
Backdoor:Win32/Wkysol.C is a trojan that allows unauthorized remote access and control of an affected computer. This trojan has been observed to be installed when opening certain malicious PDF files that exploit a vulnerability affecting Adobe Reader and Acrobat. This malicious exploit in PDF files is detailed as an unspecified vulnerability in the U3D component in Adobe Reader and Acrobat and is further discussed in CVE-2011-2462.
Top
Backdoor:Win32/Wkysol.C is a trojan that allows unauthorized remote access and control of an affected computer. This trojan has been observed to be installed when opening certain malicious PDF files that exploit a vulnerability affecting Adobe Reader and Acrobat. This malicious exploit in PDF files is detailed as an unspecified vulnerability in the U3D component in Adobe Reader and Acrobat and is further discussed in CVE-2011-2462.
Installation
When run, Backdoor:Win32/Wkysol.C drops a copy of the trojan as an executable file named "help.exe" into the "Local Settings" file folder, as in the following example:
- C:\Documents and Settings\Administrator\Local Settings\help.exe
The registry is modified to run the dropped trojan copy at each Windows start, as in the following example modification:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "start"
With data: "C:\Documents and Settings\Administrator\Local Settings\help.exe"
Payload
Drops other malware
On execution, Backdoor:Win32/Wkysol.C drops other malware as a DLL, also into the "Local Settings" file folder as "WSE4EF1.TMP", which is detected as Backdoor:Win32/Wkysol.B. This DLL is then injected into the following processes:
- outlook.exe
- iexplorer.exe
- firefox.exe
Allows unauthorized remote access and control
Backdoor:Win32/Wkysol.C allows unauthorized remote access and control of an affected computer by connecting to a remote server and accepting commands from an attacker. This trojan has been observed connecting to the domain "racingfax.com" for this purpose. When connecting to the server, communicates using the following server-side script and parameter:
- <server\path\>kys_allow_get.asp?name=getkys.kys
Using this backdoor, an attacker can perform a number of actions, including but not limited to the following:
Additional information
- Create a command shell
- Run or terminate applications and processes
- Reboot the computer
This malware supports an uninstall action, when run with the parameter '-remove'. When run with this option, the malware attempts to perform the following actions:
- Remove its malicious components from the affected computer
- Terminate its own running process
- Delete registry data that executes the trojan
Analysis by Patrick Estavillo
Last update 07 January 2012
