July 30, 2012

Doctor Web—the Russian anti-virus vendor—is warning users about Trojan.Yaryar.1 malware. The Trojan is distinguished by a built-in routine that enables it to access NTFS directly rather than use Windows API. The malware also has an extensive array of tools to detect debugging and analysis software.

It's not quite clear yet how the Trojan spreads, but its behaviour in a system has been studied in detail. The malicious program consists of two modules: a dropper and a downloader, both written in C++. Trojan.Yaryar.1 is capable of accessing NTFS files by means of its own routine which makes it stand out among downloader Trojans. The dropper saves the downloader component onto the disk as a dll file with a random name and tries to load it by injecting its code into the cryptsvc.dll file.

The Trojan features a powerful set of tools to identify debugging and analysis programs, and will delete itself from a computer if it finds any such program in the system. Once launched, the Trojan attempts to obtain debugger privileges and to inject its code into process spoolsv.exe. Then Trojan.Yaryar.1 disables the , Automatic Updates and Windows Firewall and subsequently establishes a connection to a remote server to download other files and run them on the infected computer.

The Trojan's signature has been added to the Dr.Web virus databases , but this Trojan may pose a threat to users who don't install up-to-date anti-virus software on their PCs.