Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Chyzvis.B

Aliases:Trojan.Win32.Scar.bwot (Kaspersky), DLOADER.IRC.Trojan (Dr.Web), BackDoor.Ircbot.LUQ trojan (AVG) 
Type of infiltration:Worm  
Size:238592 B 
Affected platforms:Microsoft Windows 
Signature database version:4947 (20100315) 

Short description

Win32/Chyzvis.B is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.

Installation

When executed, the worm copies itself into the following location:
  • %system%Sysinfo.exe
In order to be executed on every system start, the worm sets the following Registry entries:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "Sysinfo.exe" = "%system%Sysinfo.exe"
The worm executes the following command:
  • cmd.exe /K netsh firewall add allowedprogram %system%Sysinfo.exe sysupdate ENABLE & exit
The performed command creates an exception in the Windows Firewall.

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following filename:
  • idg2.exe
The following file is dropped in the same folder:
  • Autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm may create the following files:
  • %system%nethlp.dll
  • %system%winupd.dat
  • %system%winupd.apt
  • %system%syslog.dll
  • %windows%s.jpg
The worm may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    PoliciesSystem]
    "EnableLUA" = 0
The worm acquires data and commands from a remote computer or the Internet.

The worm connects to the following addresses:
  • vnx.xf.cz
  • leaf.nerv.ne.jp
The FTP, IRC, HTTP protocol is used. It can be controlled remotely.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • open a specific URL address
  • steal information from the Windows clipboard
  • capture screenshots
  • run executable files
  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • open a specific URL address
  • steal information from the Windows clipboard
  • capture screenshots
  • run executable files
  • delete files
  • move files
The worm collects information related to the following applications:
  • Total Commander
The worm collects the following information:
  • FTP account information
The worm can send the information to a remote machine. The FTP protocol is used.