Trojan.MulDrop6.58303

Added to the Dr.Web virus database: 2016-09-30

Virus description added: 2016-09-30

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'DELSMSAGENTINSTALLER' = '<SYSTEM32>\cmd.exe /c RMDIR /S /Q %TEMP%\SMSagent'

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\BITS] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\ccmsetup] 'ImagePath' = '"<SYSTEM32>\ccmsetup\ccmsetup.exe" /runservice /source:%TEMP%\SMSagent SMSMP=PDXA5010 SMSSITECODE=001'
[<HKLM>\SYSTEM\ControlSet001\Services\ccmsetup] 'Start' = '00000002'

Malicious functions:

Executes the following:

'<SYSTEM32>\msiexec.exe' /V
'<SYSTEM32>\msiexec.exe' -Embedding 5651A799B2811C3120D059DFD017BAAD M Global\MSI0000
'%TEMP%\SMSagent\ccmsetup.exe' /source:%TEMP%\SMSagent SMSMP=PDXA5010 SMSSITECODE=001
'<SYSTEM32>\ccmsetup\ccmsetup.exe' /runservice /source:%TEMP%\SMSagent SMSMP=PDXA5010 SMSSITECODE=001

Modifies file system:

Creates the following files:

%WINDIR%\Installer\MSI17.tmp
%WINDIR%\Installer\MSI16.tmp
%WINDIR%\Installer\MSI15.tmp
%WINDIR%\Installer\MSI18.tmp
%WINDIR%\Installer\MSI1B.tmp
%WINDIR%\Installer\MSI1A.tmp
%WINDIR%\Installer\MSI19.tmp
%WINDIR%\Installer\MSI10.tmp
%WINDIR%\Installer\MSIF.tmp
%WINDIR%\Installer\MSIE.tmp
%WINDIR%\Installer\MSI11.tmp
%WINDIR%\Installer\MSI14.tmp
%WINDIR%\Installer\MSI13.tmp
%WINDIR%\Installer\MSI12.tmp
%WINDIR%\Installer\MSI25.tmp
%WINDIR%\Installer\MSI24.tmp
%WINDIR%\Installer\MSI23.tmp
%WINDIR%\Installer\MSI26.tmp
%WINDIR%\Installer\MSI29.tmp
%WINDIR%\Installer\MSI28.tmp
%WINDIR%\Installer\MSI27.tmp
%WINDIR%\Installer\MSI1E.tmp
%WINDIR%\Installer\MSI1D.tmp
%WINDIR%\Installer\MSI1C.tmp
%WINDIR%\Installer\MSI1F.tmp
%WINDIR%\Installer\MSI22.tmp
%WINDIR%\Installer\MSI21.tmp
%WINDIR%\Installer\MSI20.tmp
<SYSTEM32>\ccmsetup\ccmsetup.log
%TEMP%\SMSagent\~GLH0004.TMP
%TEMP%\SMSagent\~GLH0003.TMP
<SYSTEM32>\ccmsetup\ccmsetup.exe.download
%TEMP%\SMSagent\INSTALL.LOG
<SYSTEM32>\ccmsetup\client.msi.download
<SYSTEM32>\ccmsetup\ccmsetup.exe
%TEMP%\GLW3.tmp
%TEMP%\GLK2.tmp
%TEMP%\GLC1.tmp
%TEMP%\GLG5.tmp
%TEMP%\SMSagent\~GLH0002.TMP
%TEMP%\SMSagent\~GLH0001.TMP
%TEMP%\SMSagent\~GLH0000.TMP
%WINDIR%\Temp\~DFD288.tmp
%WINDIR%\Installer\23e2a.ipi
%WINDIR%\Installer\MSI9.tmp
%WINDIR%\Installer\MSIA.tmp
%WINDIR%\Installer\MSID.tmp
%WINDIR%\Installer\MSIC.tmp
%WINDIR%\Installer\MSIB.tmp
<SYSTEM32>\ccmsetup\client.msi.log
<SYSTEM32>\ccmsetup\{8E99D25F-47B7-4DF1-AD28-A629730BBFDF}\client.msi
<SYSTEM32>\ccmsetup\client.msi
%WINDIR%\Installer\23e28.msi
%WINDIR%\Installer\MSI8.tmp
%WINDIR%\Installer\MSI7.tmp
%WINDIR%\Installer\MSI6.tmp

Deletes the following files:

%WINDIR%\Installer\MSI1C.tmp
%WINDIR%\Installer\MSI1B.tmp
%WINDIR%\Installer\MSI1E.tmp
%WINDIR%\Installer\MSI1D.tmp
%WINDIR%\Installer\MSI1A.tmp
%WINDIR%\Installer\MSI17.tmp
%WINDIR%\Installer\MSI16.tmp
%WINDIR%\Installer\MSI19.tmp
%WINDIR%\Installer\MSI18.tmp
%WINDIR%\Installer\MSI1F.tmp
%WINDIR%\Installer\MSI26.tmp
%WINDIR%\Installer\MSI25.tmp
%WINDIR%\Installer\MSI28.tmp
%WINDIR%\Installer\MSI27.tmp
%WINDIR%\Installer\MSI24.tmp
%WINDIR%\Installer\MSI21.tmp
%WINDIR%\Installer\MSI20.tmp
%WINDIR%\Installer\MSI23.tmp
%WINDIR%\Installer\MSI22.tmp
%WINDIR%\Installer\MSI15.tmp
%WINDIR%\Installer\MSI7.tmp
%WINDIR%\Installer\MSI6.tmp
%WINDIR%\Installer\MSI9.tmp
%WINDIR%\Installer\MSI8.tmp
%TEMP%\GLC1.tmp
<SYSTEM32>\ccmsetup\ccmsetup.exe.download
%TEMP%\GLW3.tmp
%TEMP%\GLK2.tmp
%TEMP%\GLG5.tmp
%WINDIR%\Installer\MSIB.tmp
%WINDIR%\Installer\MSI12.tmp
%WINDIR%\Installer\MSI11.tmp
%WINDIR%\Installer\MSI14.tmp
%WINDIR%\Installer\MSI13.tmp
%WINDIR%\Installer\MSI10.tmp
%WINDIR%\Installer\MSID.tmp
%WINDIR%\Installer\MSIC.tmp
%WINDIR%\Installer\MSIF.tmp
%WINDIR%\Installer\MSIE.tmp

Moves the following files:

from %TEMP%\SMSagent\~GLH0003.TMP to %TEMP%\SMSagent\commandline.txt
from %TEMP%\SMSagent\~GLH0004.TMP to %TEMP%\SMSagent\smsman.exe
from %TEMP%\SMSagent\~GLH0002.TMP to %TEMP%\SMSagent\client.msi
from %TEMP%\SMSagent\~GLH0000.TMP to %TEMP%\SMSagent\capinst.exe
from %TEMP%\SMSagent\~GLH0001.TMP to %TEMP%\SMSagent\ccmsetup.exe

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: ''

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial