Home / malware Backdoor:Win32/Ysnah.A
First posted on 13 April 2010.
Source: SecurityHomeAliases :
Backdoor:Win32/Ysnah.A is also known as W32/DLoader.AHTBD (Norman), BackDoor-EJC (McAfee), Trojan.Win32.Generic.51FCDAC0 (Rising AV), BKDR_AHNSY.A (Trend Micro).
Explanation :
Backdoor:Win32/Ysnah.A is a trojan that allows backdoor access and control.
Top
Backdoor:Win32/Ysnah.A is a trojan that allows backdoor access and control. Installation Backdoor:Win32/Ysnah.A drops a copy of itself in the following location:<system folder>\ahnsy.dll Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It modifies the system registry so that it automatically runs as a service every time Windows starts: Adds value: "ServiceDll" With data: "<system folder>\ahnsy.dll" To subkey: HKLM\SYSTEM\ControlSet001\Services\Irmon\Parameters Payload Allows backdoor access and control Backdoor:Win32/Ysnah.A connects to the following Web site through port 11229 for certain commands:japan003.myfw.us It is capable of performing certain actions, including the following, based on commands from a remote attacker:Send file Kill tasks/processes Show tasks/processes Update itself
Analysis by Francis Allan Tan SengLast update 13 April 2010
