Trojan.Spy.YEK, the Corporate Spying Tool

The Stuxnet troubles are long from being forgotten and any sign of outside intrusion continues to be extremely sensitive news. These days, business is hard as it is, but when some e-threat comes along and sniffs for critical data, things couldn’t get worse. A spying malware in the local network of a company means DANGER and unfortunately the number of such threats is constantly increasing.

And Trojan.Spy.YEK having both spying and backdoor features is a serious enemy.  With an encrypted dll in its overlay, this Trojan is easily saved in windowssystem32netconf32.dll and once injected in explorer.exe nothing can stop it from connecting (whenever necessary) to a couple of meeting spots with the attacker.

The backdoor component helps it register itself as a service so as to receive and follow instructions from a command and control center, while the spyware component sends away data about files, operating system, while also making screenshots of the ongoing processes.

Some of the commands it is supposed to execute are: sending the collected files using a GET request, sending info regarding the operating system and computer, taking screenshots and sending the results, listing the processes that run on the system and sends them away, finding files with a certain extension. Shortly put, it uploads all the interesting data on a FTP server without the user’s consent.

The fact that it looks for all that it is linked to archives, e-mails (.eml, .dbx), address books (.wab), database and documents (.doc, .odt, .pdf etc) makes Trojan.Spy.YEKa prime suspect of corporate espionage as it seems to target the private data of the companies.

On top of that, the Trojan can run without problems on all versions of Windows® from Win 95® to Seven®. If you haven’t done that already, this should be a good time to try an antivirus.

Information in this article isavailable courtesy of BitDefender Malware Researchers Doina Cosovan and Octavian Minea.