Threat behavior
Trojan:Win32/Fydown.A is installed by TrojanDownloader:Win32/Adload.BE.dll. Win32/Fydown may disable numerous security applications from executing and may download and execute arbitrary files from a predefined remote Web server.
Installation
Once installed and executed, this trojan drops a configuration data file as the following:
<system folder>/web.ini
The trojan then attempts to connect to a remote Web server "k-fc.cn". The trojan drops an additional component as the following:
%windir%\system32\FloodCore.dll - Troajn:Win32/Fydown.A.dll
Payload
Disables security applications
Trojan:Win32/Fydown.A deletes numerous registry subkeys that may prevent the related applications from executing.
Deletes values:
360Safe.exe
WoptiClean.exe
webscanx.exe
vsstat.exe
UpLive.exe
UmxPol.exe
UmxFwHlp.exe
UmxCfg.exe
UmxAttachment.exe
UmxAgent.exe
UIHost.exe
TrojDie.kxp
Trojanwall.exe
TrojanDetector.exe
SysSafe.exe
symlcsvc.exe
SREng.exe
SmartUp.exe
shcfg32.exe
scan32.exe
safelive.exe
runiep.exe
rstray.exe
rsnetsvr.exe
Rsaupd.exe
RsAgent.exe
rfwstub.exe
rfwsrv.exe
rfwProxy.exe
rfwmain.exe
rfwcfg.exe
RegTool.exe
regmon.exe
RegClean.exe
RawCopy.exe
RavStub.exe
RavMonD.exe
Ras.exe
QQKav.exe
QQDoctor.exe
QHSET.exe
procexp.exe
PFWLiveUpdate.exe
PFW.exe
OllyICE.exe
OllyDBG.exe
NPFMntor.exe
nod32kui.exe
nod32krn.exe
nod32.exe
Navapw32.exe
Navapsvc.exe
mmsk.exe
mmqczj.exe
mcconsol.exe
MagicSet.exe
KWatchX.exe
KWatch9x.exe
KWatch.exe
KvXP_1.kxp
KvXP.kxp
kvwsc.exe
kvupload.exe
KVStub.kxp
KVSrvXP.exe
KVScan.kxp
KvReport.kxp
kvolself.exe
kvol.exe
KVMonXP_1.kxp
KVMonXP.kxp
KvfwMcl.exe
KvDetect.exe
KVCenter.kxp
KsLoader.exe
KRepair.com
KRegEx.exe
KPfwSvc.exe
KPFW32X.exe
KPFW32.exe
KMFilter.exe
KMailMon.exe
KISLnchr.exe
KAVStart.exe
KAVSetup.exe
KAVPFW.exe
KAVPF.exe
KAVDX.exe
KAV32.exe
KASTask.exe
KASMain.exe
KaScrScn.SCR
kabaload.exe
isPwdSvc.exe
Iparmor.exe
iparmo.exe
IceSword.exe
HijackThis.exe
FYFireWall.exe
FTCleanerShell.exe
filemon.exe
FileDsty.exe
EGHOST.exe
ccSvcHst.exe
CCenter.exe
avp.exe
avp.com
AvMonitor.exe
avgrssvc.exe
avconsol.exe
autoruns.exe
AppSvc32.exe
AgentSvr.exe
adam.exe
Within subkey: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
Downloads and executes arbitrary files
The trojan attempts to download files from the remote Web server "floodad.com". The files once downloaded are then executed.
Analysis by Dan Kurc
Prevention