Home / malware Trojan:Win32/Wakyso.A
First posted on 20 October 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Wakyso.A.
Explanation :
Threat behavior
Installation
Trojan:Win32/Wakyso.A creates the following files on your PC:
\ .exe.bat - c:\documents and settings\administrator\local settings\temp\flash_installed.txt
- c:\documents and settings\administrator\local settings\temp\winlogin.zip
Payload
Changes system security settings
Trojan:Win32/Wakyso.A disables the Least Privileged User Account (LUA), also known as the ?administrator in Admin Approval Mode? user type. It does this by making the following registry modifications:
Sets value: "EnableLUA"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Note: Disabling the LUA allows all applications to run by default with all administrative privileges. You won't be asked for explicit consent. Contacts remote hosts
The malware can contact the following remote hosts:
- 03b0d0d.netsolhost.com using port 21
- 03b0d0d.netsolhost.com using port 10000
Commonly, malware contacts a remote host to:This malware description was produced and published using automated analysis of file SHA1 ce6036a0d4ef7ecbe9ba78a07809c49c1600f40f.Symptoms
- Confirm Internet connectivity
- Report a new infection to its author
- Receive configuration or other data
- Download and run files (including updates and other malware)
- Receive instruction from a remote hacker
- Upload information taken from your PC
System changes
The following could indicate that you have this threat on your PC:
- You have these files:
.exe.bat
c:\documents and settings\administrator\local settings\temp\flash_installed.txt
c:\documents and settings\administrator\local settings\temp\winlogin.zip
- You see these entries or keys in your registry:
Sets value: "EnableLUA"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemLast update 20 October 2014
