Backdoor:Win32/Yonsole.A

(?)

Encyclopedia entry
Updated: Apr 17, 2011 | Published: Jun 08, 2010

Aliases

Win-Trojan/Torr.111104.AL

AhnLab

W32/OnlineGames.EI.gen!Eldorado (Command)
Backdoor.Win32.Torr.cep (Kaspersky)
Trojan:Win32/Malagent (Microsoft)
Backdoor.Torr.QS (VirusBuster)
Trojan horse Dropper.Generic2.DJQ (AVG)
Trojan.Generic.3777760 (BitDefender)
Win32/Tnega.AJE (CA)
Win32/Farfli.AK (ESET)
Backdoor.Win32.Torr (Ikarus)
Generic BackDoor!cqn (McAfee)
Trj/Downloader.MDW (Panda)
Trojan.Win32.Generic.5200D50B (Rising AV)
Troj/Bckdr-RBZ (Sophos)
Trojan.Win32.Generic!BT (Sunbelt Software)
Mal_PClient (Trend Micro)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated:
Definition: 1.137.1152.0
Released: Oct 05, 2012

Detection initially created:
Definition: 1.83.912.0
Released: Jun 01, 2010

Summary

Backdoor:Win32/Yonsole.A is a trojan that allows unauthorized access and control of an affected computer, and connects to a remote host for instructions.

Top

Symptoms

System changes

The following system changes may indicate the presence of this malware:

The presence of the following files:

f00165500k.cmd
The presence of the following registry modifications:

Adds value: "ServiceDll"

With data: "<system folder>\f00165500k.cmd"

Under key: HKLM\SYSTEM\CurrentControlSet\Services\F00165500K\Parameters

Top

Technical Information (Analysis)

Backdoor:Win32/Yonsole.A is a trojan that allows unauthorized access and control of an affected computer, and connects to a remote host for instructions.

Installation

When executed, Backdoor:Win32/Yonsole.A injects itself to services.exe and drops a DLL file to the <system folder>, for example:

f00165500k.cmd

Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

The DLL file contains the backdoor functionality and may be detected as Backdoor:Win32/Yonsole.B. Backdoor:Win32/Yonsole.A installs the dropped DLL as a Service DLL to make sure it is loaded as each Windows start, for example:

Adds value: "ServiceDll"

With data: "<system folder>\f00165500k.cmd"

Under key: HKLM\SYSTEM\CurrentControlSet\Services\F00165500K\Parameters

Analysis by Chun Feng

Top

Prevention

Take these steps to help prevent infection on your computer.

Top

Recovery

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.