Home / malware Trojan.Yahamam
First posted on 19 May 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Yahamam.
Explanation :
Trojan.Yahamam arrives as a file dropped by Trojan.Mdropper.
When the Trojan is executed, it creates the following files: %System%\mfc41.dll %Windir%\inf\mfc41.inf%Windir%\Fonts\mfc41.tff%Windir%\Web Wallpaper\images.jpg%System%\drivers\usb30.sys
The Trojan may add itself as a service with the following name: IPSEC Network Connections Services
Next, the Trojan searches the following folder for a file that has a special marker at the end: [PATH TO FILE]\wallpaper
The Trojan then reads the file as a program code on memory and executes it.
Next, the Trojan adds %System%\mfc41.dll as a service with the following name: INCS
The Trojan also adds %System%\drivers\usb30.sys as a service with the following name: usb30
Next, the Trojan opens a back door, and may connect to one of the following remote locations: www.dpponline.trickip.org:53www.myinfo.ocry.com:443223.27.35.244:443
The Trojan then allows an attacker to perform the following actions: Print the Help menuGather and delete accountsInstall, enumerate, view, stop, and delete servicesExecute, download, upload, and decrypt filesChange a file's or folder's time stamp
Gather system informationGather disk informationEnumerate and end processesGather the module for running processesView TCP and IP information Display IPCONFIG application
Remove a TCP connectionRun cmd.exe shellRestart computer
Activate sleep mode
Change, copy, create, and delete foldersDisplay folder information
Display file contentCapture screenshotsView and set the terminal portView and set self-configuration details
Start and stop USB functionalityStop itselfLast update 19 May 2015