Skip navigation.
Home

Analysis of new malware (YolrotX - Backdoor.Win32.Poison.apec)

This is the latest malware I got from the malware repositories, here I present how this malware infect the system and which third-party actions is doing by this specimen .
YolrotX
written in Visual Basic 6.0
MD5 Checksum : cb702c3319a27e792b84846d3d6c61ad
Size : 61493 Bytes
Extract itself to %windir%\System32 with 3 different names : update.exe, security.exe, avg.exe
it's also open the internet explorer and tends to surf golo.com website.
Seems it also uses the following library : Microsoft Base Cryptographic Provider v1.0
usename of the author is Basic, so we can name the author Basic .
Also trying to download the following files to system32 .

hxxp://www.oviedolocal3476.com/mail/bin/msm.exe
\system32\updates.exe

hxxp://www.oviedolocal3476.com/mail/bin/plugoff.exe
\system32\securitys.exe

hxxp://www.oviedolocal3476.com/mail/bin/regdllhelper.exe
\system32\drivess.exe

when start to executing, it's also drop a driver named "drive.sys" and "drive.sys.off" to system32\Drivers, had some rootkit behavior, while scanning with RKU it reports try to hide process update.exe .
Open a Handle to Cmd.exe .
seems, there's no hooking behavior available in this sample .
set itself as startup to the following key with 3 different entries:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Run
\System32\avg.exe
\System32\update.exe
\System32\security.exe
easy to kill, just terminate update.exe , security.exe and globo.exe, so the malware become inactive .
vt result : Result: 6/42 (14.29%)
vt perma link :
http://www.virustotal.com/analisis/ec89254ddb24b1c7f750d8c32d6e33d8f20959be410092401bbc28ee0bf19d07-1270075998

download sample from here :
http://www.multiupload.com/I5OPJU5DIN
pass : Infected

P.S : I've been added it OC dataBase, try to search this one : cb702c3319a27e792b84846d3d6c61ad