Win32/Agent.YIJ [Threat Name] go to Threat

Win32/Agent.YIJ [Threat Variant Name]

Category trojan
Size 124416 B
Detection created Sep 27, 2016
Detection database version 14187
Short description

Win32/Agent.YIJ is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %folder%\­%filename%%randomstring%%fileextension%

The %folder% is one of the following strings:

  • %programfiles%
  • %commonprogramfiles%
  • %allusersprofile%
  • %userprofile%
  • %appdata%
  • %temp%

The %filename% is one of the following strings:

  • ms
  • win
  • gdi
  • mfc
  • vga
  • igfx
  • user
  • help
  • config
  • update
  • regsvc
  • chkdsk
  • systray
  • audiodg
  • certmgr
  • autochk
  • taskhost
  • colorcpl
  • services
  • IconCache
  • ThumbCache
  • Cookies

%randomstring% represent random text.


The %fileextension% is one of the following strings:

  • .exe
  • .com
  • .scr
  • .pif
  • .cmd
  • .bat

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE|\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%variable%" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%variable%" = "%malwarefilepath%"

A string with variable content is used instead of %variable% .


This causes the trojan to be executed on every system start.


The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • %system%\­%application%

The %application% is one of the following strings:

  • svchost.exe
  • msiexec.exe
  • wuauclt.exe
  • lsass.exe
  • wlanext.exe
  • msg.exe
  • lsm.exe
  • dwm.exe
  • help.exe
  • chkdsk.exe
  • cmmon32.exe
  • nbtstat.exe
  • spoolsv.exe
  • rdpclip.exe
  • control.exe
  • taskhost.exe
  • rundll32.exe
  • systray.exe
  • audiodg.exe
  • wininit.exe
  • services.exe
  • autochk.exe
  • autoconv.exe
  • autofmt.exe
  • cmstp.exe
  • colorcpl.exe
  • cscript.exe
  • explorer.exe
  • WWAHost.exe
  • ipconfig.exe
  • msdt.exe
  • mstsc.exe
  • NAPSTAT.EXE
  • netsh.exe
  • NETSTAT.EXE
  • raserver.exe
  • wscript.exe
  • wuapp.exe
  • cmd.exe

The trojan injects its code into the following processes:

  • explorer.exe
  • iexplore.exe
  • firefox.exe
  • chrome.exe
  • microsoftedgecp.exe
  • opera.exe
  • safari.exe
  • torch.exe
  • maxthon.exe
  • seamonkey.exe
  • avant.exe
  • deepnet.exe
  • dragon.exe
  • icedragon.exe
  • spark.exe
  • browser.exe
  • outlook.exe
  • poco.exe
  • netscp.exe
  • foxmail.exe
  • incmail.exe
  • thunderbird.exe
  • barca.exe
  • yahoomessenger.exe
  • icq.exe
  • pidgin.exe
  • trillian.exe
  • ybrowser.exe
  • skype.exe
Information stealing

Win32/Agent.YIJ is a trojan that steals sensitive information.


The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • user name
  • operating system version

The trojan collects various information when a certain application is being used.


The following programs are affected:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Outlook
  • Mozilla Firefox
  • Mozilla Thunderbird
  • Google Chrome
  • Opera
  • Safari Browser
  • Torch Browser
  • Maxthon
  • Seamonkey
  • Avant Browser
  • Deepnet Explorer
  • Comodo Dragon
  • Comodo IceDragon
  • Baidu Spark Browser
  • Yandex Browser
  • PocoMail
  • Barca
  • Netscape Navigator
  • Foxmail
  • Incredimail
  • Yahoo Messenger
  • ICQ
  • Pidgin
  • Trillian
  • Yahoo! Browser
  • Skype

It can execute the following operations:

  • log keystrokes
  • monitor network traffic

The collected information is stored in the following files:

  • %appdata%\­%variable1%\­%variable2%.ini

A string with variable content is used instead of %variable1-2% .


The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (1) URLs. The HTTP protocol is used in the communication.


The network communication with remote computer/server is encrypted.


The trojan may execute the following commands:

  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • update itself to a newer version
  • delete cookies
  • shut down/restart the computer
  • send gathered information
  • uninstall itself

The trojan hooks the following Windows APIs:

  • EncryptMessage (sspicli.dll, secur32.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • WSASend (ws2_32.dll)
  • PR_Write (nss3.dll, nspr4.dll)
  • ssl3_write_app_data (chrome.dll, dragon_s.dll, browser.dll)
  • GetMessageA (user32.dll)
  • GetMessageW (user32.dll)
  • SendMessageA (user32.dll)
  • SendMessageW (user32.dll)
  • PeekMessageA (user32.dll)
  • PeekMessageW (user32.dll)

The trojan can detect presence of debuggers and other analytical tools.


The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • vmwareuser.exe
  • vmwareservice.exe
  • vboxservice.exe
  • vboxtray.exe
  • sandboxiedcomlaunch.exe
  • sandboxierpcss.exe
  • procmon.exe
  • filemon.exe
  • wireshark.exe
  • netmon.exe
  • prl_tools_service.exe
  • prl_tools.exe
  • prl_cc.exe
  • sharedintapp.exe
  • vmtoolsd.exe
  • vmsrvc.exe
  • vmusrvc.exe
  • python.exe
  • perl.exe
  • regmon.exe

Trojan quits immediately if it detects loaded module within its own process containing one of the following strings in its name:

  • sbiedll.dll
  • \­CUCKOO\­
  • \­SANDCASTLE\­
  • \­ASWSNX\­
  • \­SANDBOX\­
  • \­smpdir\­
  • \­samroot\­
  • \­AVCTestSuite\­

The trojan quits immediately if the user name is one of the following:

  • sandbox-
  • nmsdbox-
  • xxxx-ox-
  • cwsx-
  • wilbert-sc
  • xpamast-sc

The trojan contains both 32-bit and 64-bit program components.

Please enable Javascript to ensure correct displaying of this content and refresh this page.