Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

New Trojan downloader interacts with NTFS directly

July 30, 2012

Doctor Web—the Russian anti-virus vendor—is warning users about Trojan.Yaryar.1 malware. The Trojan is distinguished by a built-in routine that enables it to access NTFS directly rather than use Windows API. The malware also has an extensive array of tools to detect debugging and analysis software.

It's not quite clear yet how the Trojan spreads, but its behaviour in a system has been studied in detail. The malicious program consists of two modules: a dropper and a downloader, both written in C++. Trojan.Yaryar.1 is capable of accessing NTFS files by means of its own routine which makes it stand out among downloader Trojans. The dropper saves the downloader component onto the disk as a dll file with a random name and tries to load it by injecting its code into the cryptsvc.dll file.

The Trojan features a powerful set of tools to identify debugging and analysis programs, and will delete itself from a computer if it finds any such program in the system. Once launched, the Trojan attempts to obtain debugger privileges and to inject its code into process spoolsv.exe. Then Trojan.Yaryar.1 disables the , Automatic Updates and Windows Firewall and subsequently establishes a connection to a remote server to download other files and run them on the infected computer.

The Trojan's signature has been added to the Dr.Web virus databases , but this Trojan may pose a threat to users who don't install up-to-date anti-virus software on their PCs.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040