Threat behavior
Trojan:Win32/Yoddos.A is a trojan that allows limited remote access and control. The malware communicates with a command and control (C&C) server to receive commands from an attacker that could include sending denial of service (DoS) attacks against a specified target and the download and execution of arbitrary files.
Installation
When run, the trojan drops a copy of itself as any of the following files:
- <system folder>\<embedded name>
- %windir%\<embedded name>
- <system folder>\Program Files\Internet Explorer\<embedded name>
Where "<embedded file name>" varies per version of the trojan, such as "Antixgojx.exe" or "Anhldjxep.exe" for example. The trojan may also drop a modified copy of itself as "360<random>.exe", such as "360khfdx.exe" or "360Trmje.exe". The file attributes of the dropped trojan copies are set to "hidden" and "system".
The dropped file is executed and the original copy of the trojan is deleted. The registry is modified to run the dropped trojan component as a service at each Windows start. The service and display name varies depending on the version of the trojan. The following are example service names, display names and description properties for the created service:
- Service names:
"MediaCpmcbk"
"MehlaCkxjkk"
- Display names:
"MS Media Contfpd Center"
"MS Media Chlezhf Center"
- Descriptions:
"prolhphm support for media palyer. this service can't be stoped."
"Projbbmh support for mhlia palyer. This service can't be stoped."
The malware injects code into any of the following processes:
-
<system folder>\explorer.exe
-
<system folder>\Program Files\Internet Explorer\iexplore.exe
-
<system folder>\svchost.exe
Payload
Allows limited remote access and control
The trojan connects to the C&C server and initiates communication. The remote server name and port are hard-coded within the malware. Depending on the commands received, the trojan may do the following:
-
Perform DoS attacks against a specified target address
-
Download and execute updates of the trojan, or arbitrary files, located at a specified URL
- Stop the malware service
- Shut down the host machine
Analysis by Rodel Finones
Prevention
