Backdoor:Win32/Fynloski.A

Fynloski.A is a repackaged version of a remote access tool (RAT) and might come in a variety of installer types.

Installation

• %APPDATA%\microsoft\lookupsvi.exe
• %APPDATA%\microsoft\secdrv.exe
• %USERPROFILE%\desktop\order.exe

It modifies the registry so that it runs each time you start your PC. For example:

In subkey: HKCU\software\microsoft\windows\currentversion\run
Sets value: "Macrovision Security Driver"
With data: "%APPDATA%\microsoft\lookupsvi.exe"

The malware uses code injection to make it harder to detect and remove. It can inject code into running processes.

Payload

Allows backdoor access and control

Fynloski.A lets a malicious hacker remotely access your PC. It can let the malicious hacker do any of the following:

• Capture video from your webcam
• Control the clipboard
• Control the mouse, including the clicks
• Display a message box
• Download and run files
• Gather information about your PC
• Hide the operating system's default screens and windows
• Open and close the CD-ROM drive door
• Record sound produced by the PC
• Record keystrokes
• Set a custom background
• Steal passwords from known applications
• Type text on the screen

Collects your sensitive information

This threat can collect your sensitive information without your consent. This can include:

• The keys you press
• Your web browsing history
• Your credit card information
• Your user names and passwords

It could also imitate a legitimate website to lure you into revealing your sensitive information.

• slimx.comule.comusing port 80
• slimmy.noip.me using port 200

Additional information

Creates a mutex

This threat can create a mutex on your PC. For example:

• DC_MUTEX-SWNQ6GE

It might use this mutex as an infection marker to prevent more than one copy of the threat running on your PC.

Analysis by Daniel Chipiristeanu