Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Trojan.MulDrop6.42771

Added to the Dr.Web virus database: 2016-06-01

Virus description added:

SHA1:

  • aef75ada634aa2b2447a3a6502645b74b1e9e018
  • 06362b7e8a9cf9bee2da7350b5770a5fa4bb4048
  • 5072a9b3667b14860cccb2212ba7f0570b75bea2
  • 8284b2a55d615981d8019bc83c1aab59fe7d2fd6

A dropper Trojan for Windows designed to install malware. Its code contains a lot of random lines and function calls, which makes it harder to analyze the Trojan, and its library is hidden among resources of Trojan.MulDrop6.42771 in the form of an image (bitmap). The main library is packed with MPRESS and contains the configuration file with a payload and a script. The configuration file has several line separators such as "MnSplt", "BMSplt", "DMSplt", "BSSplt”, and "DSSplt”, which determine whether some options are available or not.

screen Trojan.MulDrop6.42771 #drweb

The Trojan can show random text messages on the screen using MessageBox and identify the presence of the following debugging tools:

  • The SbieDll.dll module—in the memory
  • VMWare
  • VirtualBox—by availability of the HKLM\HARDWARE\ACPI\DSDT\VBOX__ key
  • Debugging tool by the PEB.NtGlobalFlag flag
  • Process Monitor—using the FindWindow("PROCMON_WINDOW_CLASS”) function
  • Process Explorer—using the FindWindow("PROCEXPL”) function

If it detects any of them, the Trojan terminates its operation.

It also uses the CMD command to disable the Windows user accounts control (UAC):

cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

The configuration file stores the information about the installation path and the name of the Trojan. The installation path can be selected using the folowing environmental variables: Temp, process_folder, SystemDrive, windir, windir_system32, programfiles, appdata, and userprofile. The Trojan uses seven different ways to enable its autorun in the system—how the Trojan will be launched is stipulated in its configuration file.

  1. The C:\Users\<username>\AppData\Local\Temp\<file name>.txt file with the Trojan’s body and the C:\Users\<username>\AppData\Local\Temp\<file name>.vbs script, which decrypts and runs the first file, are created in a temporary folder. Names of these files are retrieved from the configuration file. The dropper’s library resources store the script template containing the file’s location path that is changed before saving. The <file name>.vbs script is saved to the autorun folder. In the temporary folder, the cpy.vbs script is created. It looks as follows:
    Dim FSO
    Set FSO = CreateObject("Scripting.FileSystemObject")
    FSO.CopyFile "C:\Users\<username>\AppData\Local\Temp\<filename>.vbs", "C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<filename>.vbs" , 1
    strUs = Wscript.ScriptFullName
    FSO.DeleteFile("C:\Users\<username>\AppData\Local\Temp\<filename>.vbs")
    FSO.DeleteFile(strUs)
    where <filename> is the name of the file specified in the configuration file.
    Once the script is created, it is executed. VBS files in the autorun folder and TXT files in the temporary folder are appended with the “Read Only”, “Hidden”, and “System” attributes.
  2. The branch of the system registry is modified:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    "Shell"="explorer.exe, <path>"
    where <path> is a location path of the Trojan.
  3. The branch of the system registry is modified:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe, <path>"
    where <path> is a location path of the Trojan.
  4. The branch of the system registry is modified:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  5. The branch of the system registry is modified:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  6. The branch of the system registry is modified:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  7. The Trojan copies itself to root folders of all connected drives and creates the autorun.inf file:
    [autorun]
    shellexecute=<path>
    where <path> is a location path of the Trojan.

To place the Trojan to a target folder and to execute autorun using the registry, the following script is applied:

Dim FSO
Set FSO = CreateObject("Scripting.FileSystemObject")
FSO.CopyFile "<path 1>", ""<path 2><filename>.exe" , 1
strScript = Wscript.ScriptFullName
FSO.DeleteFile(strScript)
where <path 1> is the location path of the original file, <path 2> is the path to a new location of the Trojan, and <filename> is the name of the file specified in the configuration file.

The Trojan can be optionally run with BATCH file:

PING 127.0.0.1 -n 2
start "" "<path 2><filename>.exe"
del %0
exit
where <path 2> is the location of the file, <filename> is the name of the file specified in the configuration file.

The payload can be launched using six different methods:

  1. To get access to the default browser, the Trojan reads the value of the HKEY_CLASSES_ROOT\http\shell\open\command key. Then it creates a new suspended process and incorporate itself in its image. If the WOW64 subsystem is used, the Trojan modifies the path to the browser replacing “Program Files\” with “Program Files (x86)\”. Then the Trojan allocates some memory for the downloader’s image, places the payload there and runs the process.
  2. Allocates the memory for the downloader’s image, places the payload there and configures imports. Then it calls the DllEntry function to load the library to the memory. After that, the Trojan checks this library for the LoadDotNetPE export, reads the data array from the configuration file, copies it to a separate memory, and transfers it to LoadDotNetPE.
  3. Loads the payload to the memory in the form of a dynamic library by calling the DllEntry function.
  4. Saves the payload to the disk and at the path specified in the Trojan’s configuration and executes it.
  5. Downloads the payload from the network, saves it to the disk and at the path specified in the Trojan’s configuration and executes it.
  6. Executes the payloads in its process. If it fails to free some disk space, the process is terminated. It checks for the presence of the TLS application in the image. If successful, a memory page is allocated, and its address is placed to TEB.ThreadLocalStorage (fs:[0x2C]). Then the Trojan scans the image from its end to the beginning for the following instruction:
    648B152C000000 mov edx,fs:[00000002C]
    The content of the instruction is changed to mov edx,<previously allocated memory page>, adding two nop commands. Then it passes control to the input point.

News about the Trojan

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android