Trojan:Win32/Flymux.A is a trojan that changes web browser settings and attempts to download and run arbitrary files.
Installation
Trojan:Win32/Flymux.A is installed by other malware. When run, this trojan copies itself as an existing folder name and with an .EXE file extension. The folder attributes are set to hidden and the trojan file icon resembles a file folder, as in the following example:
The file extension would be hidden in a default Windows environment, maximizing the chance a user would execute the trojan instead of opening the intended folder. When the trojan is opened it executes its code and also opens the file folder by the same name.
The trojan drops other files as the following:
%SystemRoot%\System32\iccy450.dll
%SystemRoot%\System32\taoba_1.dll
%SystemRoot%\System32\cpa_1.exe
%SystemDrive%\375519961o57540.bat
The following registry data is created during installation and execution of Trojan:Win32/Flymux.A:
In subkey: HKLM\SOFTWARE\Softfy\Plug\Plugname
Sets value: "LogonName"
With data: "iccy450.dll"
In subkey: HKLM\SOFTWARE\Softfy\Plug
Sets value: "PlugUserName"
With data: "full69"
In subkey: HKLM\SOFTWARE\Softfy\Plug\Down
Sets value: "PlugOne"
With data: "1.0.0"
In subkey: HKLM\SOFTWARE\Softfy\Plug\WebIni
Sets value: "WebIniVer"
With data: "1.0.0"
In subkey: HKLM\SOFTWARE\Softfy\LockPage
Sets value: "LockPageNum"
With data: "0"
In subkey: HKLM\SOFTWARE\Softfy\CSID
Sets value: "csid"
With data: "{c4560d12-ce25-4a2e-a5d4-b5070fcbe282}"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
Sets value:
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"
With data: "Browseui preloader"
Sets value: "{8C7461EF-2B13-11d2-BE35-3078302C2030}"
With data: "Component Categories cache daemon"
Sets value: "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"
With data: "csiddll"
In subkey: HKCR\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32
Sets value: "@"
With data: "%windir%\System32\iccy450.dll"
Sets value: "ThreadingModel"
With data: "Apartment"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32
Sets value: "@"
With data: "%windir%\System32\taoba_1.dll"
Sets value: "ThreadingModel"
With data: "Apartment"
The batch script "375519961o57540.bat" is run to remove the executed copy of Trojan:Win32/Flymux.A, after it has completed the above actions.
Payload
Changes Windows Explorer settings
Trojan:Win32/Flymux.A changes the view settings for Windows Explorer prevent displaying files with hidden attributes, hide protected operating system files and hide file extensions of known file types by modifying registry data.
In subkey: HKCU\
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: 0
Sets value: "HideFileExt"
With data: 1
Sets value: "ShowSuperHidden"
With data: 0
Changes Internet Explorer home page setting and redirects web browser
This trojan changes the home page setting for Internet Explorer to the URL "48850.cn". The trojan also monitors sites visited and when visiting the online retail site "taobao.com", the trojan redirects the browser to the site "pindao.huoban.taobao.com" to display advertisements.
Connects to remote websites
The trojan attempts to contact the following remote website to retrieve configuration data in a page named "softsize.asp":
In the wild, the configuration data contained other download links for use by the trojan, for example it may contact the following sites to download arbitrary programs:
- 202.102.234.116 - requests file "pipi_211_115.exe", unavailable at the time of this writing
-
down12580.com - requests file "flymy.dll", unavailable at the time of this writing
Analysis by Xinrui Qin