YolrotX - Backdoor.Win32.Poison.apec is new malware writen in Visual Basic 6.0
This variant is not detected by Avast. Only 6 antivirus solutions detect this malware:
Size : 61493 Bytes
Extract itself to %windir%\System32 with 3 different names : update.exe, security.exe, avg.exe
it’s also open the internet explorer and tends to surf golo.com website.
Seems it also uses the following library : Microsoft Base Cryptographic Provider v1.0
usename of the author is Basic, so we can name the author Basic .
Also trying to download the following files to system32 .
hxxp://www.oviedolocal3476.com/mail/bin/msm.exe
\system32\updates.exe
hxxp://www.oviedolocal3476.com/mail/bin/plugoff.exe
\system32\securitys.exe
hxxp://www.oviedolocal3476.com/mail/bin/regdllhelper.exe
\system32\drivess.exe
when start to executing, it’s also drop a driver named “drive.sys” and “drive.sys.off” to system32\Drivers, had some rootkit behavior, while scanning with RKU it reports try to hide process update.exe .
Open a Handle to Cmd.exe .
seems, there’s no hooking behavior available in this sample .
set itself as startup to the following key with 3 different entries:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Run
\System32\avg.exe
\System32\update.exe
\System32\security.exe
easy to kill, just terminate update.exe , security.exe and globo.exe, so the malware become inactive .
vt result : Result: 6/42 (14.29%)
Can you please analyze this malware and add this to the detection list of Avast?
Source: offensivecomputing.net