Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Trojan.Mutabaha.1

Added to the Dr.Web virus database: 2016-08-22

Virus description added:

SHA1:

  • 8a56002732c57e90eb482f7fd3aa75d400b6ba7f

A Trojan designed to install its own build of the Chrome browser under the name of Outfire. This browser changes a legitimate Chrome browser by modifying its shortcuts and copying a Chrome user account information into a new application. In Outfire, it is impossible to change the default home page. In addition, it has a fixed extension responsible for replacement of advertisement on the browsed webpages.

First, a dropper is launched. Then it elevates its privileges by modifying the system registry branch HKCU\Software\Classes\mscfile\shell\open\command.

The dropper saves the setup_52.3.2743.82_1471853250.exe application on the disk and runs it. Meanwhile, BAT files are also saved and run. The files are responsible for removal of the dropper. The following command is used to implement the delay:

"C:\Windows\system32\cmd.exe" /c choice /t 20 /d y /n >nul & del "<fullpath> \<dropper>.exe" >> NUL

Where <fullpath> is a full path to the location of the dropper, and <dropper> is a name of the dropper.

The installer connects to the command and control server to receive a configuration file which specifies an address for downloading the browser. The browser is then installed into the C:\Program Files\Outfire directory and is registered in the system registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Outfire]
"path"="C:\\Program Files\\Outfire\\"
"publicdirectroy_du"="C:\\Program Files\\Outfire\\Reports\\Dump"
"channel"="ince"
"userid"="harddisk_123"
"version"="52.3.2743.82"

The Trojan runs several tasks in the Windows Task Manager in order to load and install its updates.

The malware program searches for other fake browsers in the system by generating its names with the help of value combinations taken from two glossaries.

"apple", "bag", "cat", "boy", "pear", "ball", "fish", "bird", "egg", "fan",
"jam", "cup", "book", "bed", "gun", "jar", "leg", "hip", "boob", "pen",
"kit", "tool", "map", "nose", "ant", "box", "big", "zoo", "hot", "to",
"in", "out", "red", "on", "set", "bang", "sea", "go", "for", "shut",
"boss", "mon", "sys", "east", "left", "cold", "foot", "ever", "hi", "yeah",
"yes", "no", "do", "june", "day", "be", "we", "stan", "that", "her",
"all", "will", "can", "year", "new", "Gold"
"fly", "old", "has", "per", "fun", "ship", "duck", "pat", "eat", "look",
"my", "glad", "one", "hair", "lamp", "face", "suck", "lose", "job", "kiss",
"ass", "leaf", "blue", "hat", "fat", "bear", "rice", "bean", "anna", "tony,
"bob", "mike", "larry", "ben", "jane", "bin", "sarah", "ness", "son", "dear","eye", "arm", "toe", "car", "boat", "pig", "dog", "tie", "door", "flat", "cine", "rain", "seed", "fire", "may"

A full list of generated names and browser versions is given below:

50.17.2661.78 Weness
50.19.2661.78 Eastness
50.21.2661.78 Footblue
50.22.2661.78 Bangone
50.25.2661.78 Legpat
50.26.2661.78 Yestony
50.27.2661.78 Nosemay
51.5.2704.63 Cupblue
51.6.2704.63 Birdkiss
51.7.2704.63 Hipbear
51.8.2704.63 Juneper
51.9.2704.63 Hisarah
51.10.2704.63 Mapcar
51.12.2704.63 Docine
51.13.2704.63 Noanna
51.14.2704.63 Wefat
51.15.2704.63 Seaness
51.16.2704.63 Allold
51.17.2704.63 Gunship
51.18.2704.63 Footship
51.19.2704.63 Nobean
51.20.2704.63 Jamsarah
51.21.2704.63 Birdsarah
51.23.2704.63 Doold
51.24.2704.63 Junedoor
51.25.2704.63 Toolrain
51.26.2704.63 Lefttoe
51.27.2704.63 Zooface
51.28.2704.63 Hipfat
51.29.2704.63 Yesdear
51.30.2704.63 Fishlamp
51.31.2704.63 Outlose
51.32.2704.63 Nosejane
51.33.2704.63 Hiprain
51.34.2704.63 Eastfat
51.35.2704.63 Goldlarry
51.36.2704.63 Bigjane
52.1.2743.82 Birddear
52.2.2743.82 Boobseed
52.3.2743.82 Outfire
52.4.2743.82 Allhair
52.5.2743.82 Outboat
52.6.2743.82 Bookfat
52.7.2743.82 Zootony
52.8.2743.82 Birdeye
50.2.2661.78 Sysblue
50.3.2661.78 Eggsuck
50.4.2661.78 Jarsarah
50.7.2661.78 Thatrice
50.8.2661.78 Pearbob
50.10.2661.78 Herness
50.11.2661.78 Redpig
50.13.2661.78 Toolduck
50.14.2661.78 Guntony
50.15.2661.78 Seablue
50.20.2661.78 Monold

The obtained names are then compared with the value “Outfire” to avoid being deleted by mistake and then modifies the system registry, kills the processes of this browser, and removes its records from the Task Manager. An example for the Bangone browser:

TASKKILL /F /IM protect.exe
TASKKILL /F /IM Bangone.exe
TASKKILL /F /IM Bangone_server.exe
TASKKILL /F /IM BangoneUpdate.exe
"C:\Windows\System32\cmd.exe" /c chcp 437 & schtasks /Delete /TN "BangoneCheckTask" /F
"C:\Windows\System32\cmd.exe" /c chcp 437 & schtasks /Query /TN "BangoneCheckTask"
"C:\Windows\System32\cmd.exe" /c chcp 437 & schtasks /Delete /TN "BangoneBrowserUpdateUA" /F
"C:\Windows\System32\cmd.exe" /c chcp 437 & schtasks /Query /TN "BangoneBrowserUpdateUA"
"C:\Windows\System32\cmd.exe" /c chcp 437 & schtasks /Delete /TN "BangoneUpdateTaskMachineUA" /F
"C:\Windows\System32\cmd.exe" /c chcp 437 & schtasks /Query /TN "BangoneUpdateTaskMachineUA"
"C:\Windows\System32\cmd.exe" /c chcp 437 & schtasks /Delete /TN "BangoneBrowserUpdateCore" /F

News about the Trojan

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android