Win32/Agent.YBU [Threat Name] go to Threat

Win32/Agent.YBU [Threat Variant Name]

Category trojan
Size 265216 B
Detection created Jun 15, 2016
Detection database version 13652
Aliases Backdoor.Win32.Zegost.msyew (Kaspersky)
Short description

Win32/Agent.YBU is a trojan which tries to download other malware from the Internet.


When executed, the trojan creates the following files:

  • C:\­Windows\­web\­access.dll (Win32/Agent.YBU)

The trojan registers itself as a system service using the following name:

  • wudfg

This way the trojan ensures that the file is executed on every system start.

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Svchost]
    • "wudfg" = "wudfg"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wudfg]
    • "ImagePath" = "%SystemRoot%\­System32\­svchost.exe -k wudfg"
    • "DisplayName" = "Windows Driver Founda"
    • "Description" = "管理用户模式的驱动程序主机进程。"
    • "ObjectName" = "LocalSystem"
    • "ErrorControl" = 1
    • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wudfg\­Parameters]
    • "ServiceDll" = "C:\­Windows\­web\­access.dll"

The following files may be dropped:

  • %malwarefolder%\­del.bat
  • C:\­Windows\­web\­del.bat

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • MAC address
  • list of running processes

The trojan attempts to send gathered information to a remote machine.

The trojan contains a list of (5) URLs. The HTTP protocol is used.

Other information

Win32/Agent.YBU is a trojan which tries to download other malware from the Internet.

The trojan contains a list of (40) URLs. It tries to download a file from the addresses.

The file is stored in the following location:

  • C:\­Windows\­wmiprvse.exe

The file is then executed. The HTTP protocol is used.

The trojan may delete the following files:

  • %malware_older%\­%malwarefilename%.ini

The trojan may delete files stored in the following folders:

  • %internetcache%

The trojan uninstalls itself if it detects a running process containing one of the following strings in its name:

  • 360md.exe
  • 360rp.exe
  • 360Safe.exe
  • 360sd.exe
  • 360tray.exe
  • ApiProcessMonitor.exe
  • BaiduHips.exe
  • BaiduSd.exe
  • BaiduSdTray.exe
  • kismain.exe
  • ksafe.exe
  • ksafesvc.exe
  • ksafetray.exe
  • kxetray.exe
  • Malware Defender.exe
  • md_setup_chs.exe
  • mdservice.exe
  • mmc.exe
  • ProcessExplorer.exe
  • ProcessMon.exe
  • ProcessMonitor.exe
  • procexp.exe
  • Procmon.exe
  • ttvnc.exe
  • WimProcessMonitor.exe
  • WindowsMonitor.exe
  • WinProcessMonitor.exe
  • WinProcessTaskkill.exe
  • WinSysMonitor.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.