Fynloski.A is a repackaged version of a remote access tool (RAT) and might come in a variety of installer types.
This threat can create files on your PC, including:
It modifies the registry so that it runs each time you start your PC. For example:
In subkey: HKCU\software\microsoft\windows\currentversion\run
Sets value: "Macrovision Security Driver"
With data: "%APPDATA%\microsoft\lookupsvi.exe"
The malware uses code injection to make it harder to detect and remove. It can inject code into running processes.
Allows backdoor access and control
Fynloski.A lets a malicious hacker remotely access your PC. It can let the malicious hacker do any of the following:
- Capture video from your webcam
- Control the clipboard
- Control the mouse, including the clicks
- Display a message box
- Download and run files
- Gather information about your PC
- Hide the operating system's default screens and windows
- Open and close the CD-ROM drive door
- Record sound produced by the PC
- Record keystrokes
- Set a custom background
- Steal passwords from known applications
- Type text on the screen
Collects your sensitive information
This threat can collect your sensitive information without your consent. This can include:
- The keys you press
- Your web browsing history
- Your credit card information
- Your user names and passwords
It could also imitate a legitimate website to lure you into revealing your sensitive information.
Connects to a remote host
We have seen this threat connect to a remote host, including:
slimx.comule.comusing port 80
slimmy.noip.me using port 200
Malware can connect to a remote host to do any of the following:
- Check for an Internet connection
- Download and run files (including updates or other malware)
- Report a new infection to its author
- Receive configuration or other data
- Receive instructions from a malicious hacker
- Search for your PC location
- Upload information taken from your PC
- Validate a digital certificate
Creates a mutex
This threat can create a mutex on your PC. For example:
It might use this mutex as an infection marker to prevent more than one copy of the threat running on your PC.
Analysis by Daniel Chipiristeanu