Win32/Fynloski

This family of backdoor trojans uses a remote administration tool (RAT) called "Dark Comet' to perform various functions on your PC without your knowledge.

Installation

Variants of the family can be installed in a number of ways, including through the use of legitimate installers or from other malware tools.

We've seen the following threats install Win32/Fynloski:

• TrojanDownloader:097M/Donoff
• TrojanDownloader:Win32/Dimegup
• TrojanDropper:Win32/Swisyn

We've also seen this threat distributed by exploits, for example:

• Exploit:Java/Toniper

It might also arrive as an email attachment in a spam email, or be spammed out though social networking sites.

The file names used by the malware vary widely between installations of the threat, but generally they appear as spoofs of system, legitimate, or generic file names. They may also use names used by the RAT known as DarkComet, such as:

• darkcomet rat.exe
• dcmodule.exe

It modifies the registry entry so that it runs each time you start your PC. There are many different variations on what subkey or value the threat uses.

Payload

Steals sensitive information

Using this RAT, the malware can perform any number of actions on your PC, including but not limited to:

• Capture video from your webcam
• Control the clipboard
• Control the mouse, including what it clicks on
• Display a message box
• Download and run files
• Get information about your PC
• Hide your PC's default screens and windows
• Open and close the CD-ROM drive
• Record sound produced by the PC
• Record keystrokes
• Set a custom background
• Steal passwords from known applications, including web browsers and MSN
• Steal text from the clipboard
• Type text on the screen
• Receive other remote commands from an attacker

We've seen this threat store stolen keystrokes in the following locations:

• %APPDATA%\dclogs\YYYY-MM-DD-[0-9].dc
• %TEMP%\dclogs\YYYY-MM-DD-[0-9].dc

Contacts remote attackers

The threat sends the data it steals back to the remote malicious hacker, who can also take control of your PC. All the data it sends and retrieves is encrypted.

Additional information

We've seen this threat create the following mutexes, to ensure that only one instance of the malware runs on your PC at any time:

• DC_MUTEX-Que
• DCMIN-MUTEX- [0-9A-Z]{7}
• DC-MUTEX-[0-9A-Z]{7}
• DCPERSFWB

Analysis by Donna Sibangan & Daniel Chipiristeanu