Win32/Iyeclore [Threat Name] go to Threat

Win32/Iyeclore.W [Threat Variant Name]

Category trojan
Size 42116332 B
Detection created Dec 06, 2016
Detection database version 14561
Aliases Trojan-Dropper.Win32.Keydro.pig (Kaspersky)
  Trojan.MulDrop5.41192 (Dr.Web)
Short description

The trojan is designed to artificially generate traffic to certain Internet sites. The trojan is usually bundled within installation packages of various legitimate software.

Installation

When executed, the trojan creates the following files:

  • %variable1%\­%variable3%\­%variable4%.exe (21011833 B, Win32/Iyeclore.W trojan)
  • %variable1%\­%variable3%\­%variable5%.exe (23976117 B, Win32/Iyeclore.W trojan)
  • %variable1%\­%variable3%\­%variable6%\­%variable5%.ini
  • %systemdrive%\­Program Files\­Common Files\­System\­Ole DB\­MSPat.xml

The trojan creates the following folders:

  • %variable2%\­msnc\­

The %variable1% is one of the following strings:

  • %systemdrive%\­Users\­Public
  • %systemdrive%\­Program Files

The %variable2% is one of the following strings:

  • %systemdrive%\­Users\­Public
  • %systemdrive%\­Program Files\­Common Files\­system

A string with variable content is used instead of %variable3-7% .


In order to be executed on system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%malwarefilename%" = "%variable1%\­%variable2%\­%variable4%.exe /%malwarefilename%"

The trojan creates the following file:

  • %temp%\­%variable7%\­Office_password_Recovery_Toolbox_3.0.0.1_setup.exe (1864385 B)

The file is then executed.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


It can execute the following operations:

  • visit a specific website

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The trojan checks for Internet connectivity by trying to connect to the following addresses:

  • www.baidu.com

The trojan keeps various information in the following files:

  • %systemdrive%\­Program Files\­Common Files\­System\­Ole DB\­MSPat.xml

Please enable Javascript to ensure correct displaying of this content and refresh this page.