Follow:

 

Trojan:Win32/Yoddos.A


Trojan:Win32/Yoddos.A is a trojan that allows limited remote access and control. The malware communicates with a command and control (C&C) server to receive commands from an attacker that could include sending denial of service (DoS) attacks against a specified target and the download and execution of arbitrary files.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Yoddos.A is a trojan that allows limited remote access and control. The malware communicates with a command and control (C&C) server to receive commands from an attacker that could include sending denial of service (DoS) attacks against a specified target and the download and execution of arbitrary files.
Installation
When run, the trojan drops a copy of itself as any of the following files:
  • <system folder>\<embedded name>
  • %windir%\<embedded name>
  • <system folder>\Program Files\Internet Explorer\<embedded name>
 
Where "<embedded file name>" varies per version of the trojan, such as "Antixgojx.exe" or "Anhldjxep.exe" for example. The trojan may also drop a modified copy of itself as "360<random>.exe", such as "360khfdx.exe" or "360Trmje.exe". The file attributes of the dropped trojan copies are set to "hidden" and "system".
 
The dropped file is executed and the original copy of the trojan is deleted. The registry is modified to run the dropped trojan component as a service at each Windows start. The service and display name varies depending on the version of the trojan. The following are example service names, display names and description properties for the created service:
 
  • Service names:
    "MediaCpmcbk"
    "MehlaCkxjkk"
  • Display names:
    "MS Media Contfpd Center"
    "MS Media Chlezhf Center"
  • Descriptions:
    "prolhphm support for media palyer. this service can't be stoped."
    "Projbbmh support for mhlia palyer. This service can't be stoped."
 
The malware injects code into any of the following processes:
  • <system folder>\explorer.exe
  • <system folder>\Program Files\Internet Explorer\iexplore.exe
  • <system folder>\svchost.exe
 
Payload
Allows limited remote access and control
The trojan connects to the C&C server and initiates communication. The remote server name and port are hard-coded within the malware. Depending on the commands received, the trojan may do the following:
  • Perform DoS attacks against a specified target address
  • Download and execute updates of the trojan, or arbitrary files, located at a specified URL
  • Stop the malware service
  • Shut down the host machine
 
Analysis by Rodel Finones

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.89.471.0
Latest detected by definition: 1.191.304.0 and higher
First detected on: Aug 27, 2010
This entry was first published on: Nov 10, 2010
This entry was updated on: Apr 28, 2011

This threat is also detected as:
  • YoyoDDos botnet (other)
  • Trojan:Win32/SystemHijack.gen!C (other)
  • Dropper/Agent.31744.AM (AhnLab)
  • DDoS.S (AVG)
  • TR/Dopper.Gen2 (Avira)
  • Win32/SillyDl.PPC (CA)
  • BackDoor.Darkshell.246 (Dr.Web)
  • Win32/Agent.NWM (ESET)
  • Trojan-Dropper.Win32.Agent.ayqh (Kaspersky)
  • Generic Dropper!hv.n (McAfee)
  • W32/Agent.POAS (Norman)
  • Troj/Bdoor-AYY (Sophos)
  • Worm.Win32.Peerbot.A (Sunbelt Software)
  • TROJ_AGENT.SMA (Trend Micro)
  • BackDoor-DKA (McAfee)