Trojan:Win32/Urelas.C is a trojan that monitors certain card game applications and sends screenshots and information about your computer to a remote server. It also drops Trojan:Win32/Urelas.A which performs the same payload.
You may inadvertently download the trojan, thinking it is a program related to a card game.
In the wild, we have observed Trojan:Win32/Urelas.C downloaded with the following file names:
When run, the trojan drops the following files in the <system folder>:
- this file may be used to store information captured by the trojan
- this file contains the remote server's address that the trojan connects to
<random>.exe, for example "lyycofez.exe" - also detected as Trojan:Win32/Urelas.C
<random>.dll, for example "lymucexuc.dll" - detected as Trojan:Win32/Urelas.A
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".
It also drops the file "_uninsep.bat" to the %TEMP% folder, which is a malware batch file that removes the original trojan's executable (EXE) file.
Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".
Trojan:Win32/Urelas.C modifies the following registry entries to ensure that it runs at each Windows start:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<malware service name>\Parameters, for example "HKLM\SYSTEM\CurrentControlSet\Services\Jiuswan\Parameters
Sets Value: "ServiceDll"
With data: "<system folder>\<random>.dll", for example "C:\Windows\System32\lymucexuc.dll"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
Sets value: "<random name>", for example "Hiceegdiyfp"
With data: "<malware service name>", for example "Jiuswan"
Gathers and uploads information to a remote server
Trojan:Win32/Urelas.C monitors the following processes that belong to certain card games:
The trojan gathers the following information if any of the above processes are found:
Trojan:Win32/Urelas.C sends this information to a remote server. We have observed it attempting to contact the following servers:
Related encyclopedia entries