If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
- Using Task Manager, end the "duospeak.exe" process.
- Delete the following files:
- Restore the original file contents:
- Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).
After launching, the trojan checks for the following branch in the system registry:
If the branch is missing, it performs the following actions:
- the body of the trojan is copied to the current user's temporary file directory:
- The copy created is launched with the "loop" parameter.
When launching with the "loop" parameter, the trojan completes the processes with the "duospeak" substring in the names of their executable files. It then creates and launches the shell script "c:\test.bat" with the following content:
:try del "<full path to the original trojan file>"" if exist "<full path to the original trojan file>" goto try del %0
which results in the deletion of the original trojan file after it shuts down. The script is also deleted.
If this system registry branch is found, the trojan carries out the following actions:
- it reads the key value:
This key saves the string containing the path to a DLL file.
- It deletes the following file:
The <Path> is made up of the previously read strings by deleting the last 14 symbols.
- It retrieves the following file from its body:
<Path>\YYCtrl.dll(4608 bytes; detected by Kaspersky Antivirus as "Trojan.Win32.Agent2.dmuw") The file is created with the "hidden" attribute.
- It modifies the library
writing the previously extracted library into the code loaded for a particular process. The malicious library "YYCtrl.dll" is therefore entered into the address space for all of the loaded "msvcr71.dll" processes.
- It creates and runs the previously described "c:\test.bat" script, and then shuts down.
Having loaded the "duospeak.exe" process into the address space, the "YYCtrl.dll" library allows for the information entered by the user in the following window classes to be tracked:
YYMainWnd YYLogin Edit
The data collected is sent to the server in HTTP-requests:
A trojan program designed to steal the user's authentication data. It is a Windows application (PE-EXE file). 6144 bytes. UPX packed. Unpacked size – around 12 kB. Written in C++.