Trojan.DownLoader22.64641

Added to the Dr.Web virus database: 2016-10-16

Virus description added: 2016-10-16

To ensure autorun and distribution:

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\SHM_WS_NAME] 'ImagePath' = '"%WINDIR%\system\svchost.exe"'
[<HKLM>\SYSTEM\ControlSet001\Services\SHM_WS_NAME] 'Start' = '00000002'

Malicious functions:

Executes the following:

'%WINDIR%\system\svchost.exe'
'<SYSTEM32>\attrib.exe' -a -r -s -h "%WINDIR%\temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\relor.exe"
'%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\csmopscl.exe'
'<SYSTEM32>\attrib.exe' -a -r -s -h "%WINDIR%\temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\csmopscl.exe"
'<SYSTEM32>\cmd.exe' /c %WINDIR%\temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\csui.bat
'<SYSTEM32>\net1.exe' start "Security Accounts Collection"
'%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\relor.exe'
'%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\tjc.exe'
'%WINDIR%\naul.exe' /LogFile= /LogToConsole=false "%WINDIR%\system\svchost.exe"
'<SYSTEM32>\cmd.exe' /c ""%WINDIR%\temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\smm.bat" "
'<SYSTEM32>\net.exe' start "Security Accounts Collection"

Modifies file system:

Creates the following files:

%WINDIR%\system\svchost.InstallState
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\smm.bat
%WINDIR%\Mdswell.dat
%WINDIR%\system\hk.dll
%WINDIR%\naul.exe
%WINDIR%\mstxt825.dat
%TEMP%\~DFCE2D.tmp
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\csui.bat
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\csmopscl.exe
%WINDIR%\imass219.dat
%ALLUSERSPROFILE%\Application Data\CTB\relor\1.0.0.0\{87867cb68-09ed9-384acb775a838737-50f222dd3}.dat
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\naul.exe
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\relor.exe
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\Mdswell.dat
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\hk.dll
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\HKER.exe
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\svchostm.dll
%WINDIR%\system\svchostm.dll
%WINDIR%\system\hker.exe
%WINDIR%\system\svchost.exe
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\ws.exe
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\tjc.exe

Deletes the following files:

%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\smm.bat
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\relor.exe
%ALLUSERSPROFILE%\Application Data\CTB\relor\1.0.0.0\{87867cb68-09ed9-384acb775a838737-50f222dd3}.dat
%TEMP%\~DFCE2D.tmp
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\tjc.exe
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\svchostm.dll
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\hk.dll
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\HKER.exe
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\ws.exe
%WINDIR%\system\svchost.InstallState
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\naul.exe
%WINDIR%\Temp\597d62d6-6c4c-45a0-809c-23b4d61068b9\9b0b4de4-4c5c-4211-a466-73f71b703db3\Mdswell.dat

Network activity:

Connects to:

UDP:

Miscellaneous:

Searches for the following windows: