Win32/Yurist [Threat Name] go to Threat

Win32/Yurist [Threat Variant Name]

Category trojan
Size 46592 B
Aliases Backdoor.Win32.Yurist.aa (Kaspersky)
  Trojan.PWS.LDPinch.1607 (Dr.Web)
  W32.Mytob@mm (Symantec)
Short description

Win32/Yurist is a trojan that steals sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­xflash.exe

The file is then executed.


The trojan registers itself as a system service using the following name:

  • xflash

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "xflash" = "xflash.exe"
Information stealing

Win32/Yurist is a trojan that steals sensitive information.


The trojan collects information related to the following applications:

  • Miranda
  • Trillian
  • ICQ

The trojan collects the following information:

  • operating system version
  • user name
  • computer name
  • list of disk devices and their type
  • network adapter information
  • current screen resolution
  • Windows Protected Storage passwords and credentials
  • CPU information
  • type of Internet connection
  • Internet Explorer version
  • RAS accounts
  • POP3 account information
  • FTP account information

The trojan can send the information to a remote machine.


The trojan contains a list of (1) URLs.


The HTTP protocol is used.

Other information

The trojan creates the following files:

  • %system%\­xflasett

The trojan can download and execute a file from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.