- Apr 5, 2014
- 6,008
Some of modern Trojans are complex multicomponent malicious programs that can perform a wide variety of functions. In this paper, we are going to focus on a dropper Trojan which was named Trojan.MulDrop6.44482, whose sample was kindly provided by Yandex. This malware is intended to spread other malicious programs including a dangerous spyware designed to attack accounting departments of Russian companies.
Trojan.MulDrop6.44482 is distributed as an installer that checks the system for the presence of such anti-viruses as Dr.Web, Avast, ESET or Kaspersky. If it detects one of them, or if the computer does not use the Russian localization of Windows, the dropper terminates itself. In any other cases, it saves the 7z packer and a password-protected archive on the disk. Then it retrieves files from the archive one by one. Among them, there are several programs and dynamic libraries that serve different purposes. One of the unpacked programs, which Dr.Web detects as Trojan.Inject2.24412, is a Trojan that is embedded into malicious libraries’ processes launched on the infected computer. The second program unpacked by the dropper is Trojan.PWS.Spy.19338—a spyware Trojan that sends texts entered into the windows of various programs including accounting ones.
Trojan.PWS.Spy.19338 is launched directly in the computer’s memory without saving it on the disk in decrypted form. At that, the disk contains its encrypted copy. The main purpose of this Trojan is to log keystrokes and to collect information about the system. Besides, the keylogger module sends data from the clipboard history to virus makers. Trojan.PWS.Spy.19338 can run programs with or without their intermediate save on the disk. Every module of the Trojan performs its own functions.
All information sent by Trojan.PWS.Spy.19338 to the server is encrypted first with the RC4 algorithm and then—with XOR. The Trojan saves logged keystrokes on the disk as a special file and transmits its content to the server every minute. The Trojan also sends the name of the window the keystrokes in which were logged. The malicious program monitors the user activity in the following applications:
Dr.Web Anti-virus detects and removes all the above-mentioned malware programs. Therefore, they do not pose any thereat to our users. Doctor Web specialists would like to thank Yandex for providing the Trojan’s sample for research.
Read more: Doctor Web examined new spyware targeting accounting programs
Trojan.MulDrop6.44482 is distributed as an installer that checks the system for the presence of such anti-viruses as Dr.Web, Avast, ESET or Kaspersky. If it detects one of them, or if the computer does not use the Russian localization of Windows, the dropper terminates itself. In any other cases, it saves the 7z packer and a password-protected archive on the disk. Then it retrieves files from the archive one by one. Among them, there are several programs and dynamic libraries that serve different purposes. One of the unpacked programs, which Dr.Web detects as Trojan.Inject2.24412, is a Trojan that is embedded into malicious libraries’ processes launched on the infected computer. The second program unpacked by the dropper is Trojan.PWS.Spy.19338—a spyware Trojan that sends texts entered into the windows of various programs including accounting ones.
Trojan.PWS.Spy.19338 is launched directly in the computer’s memory without saving it on the disk in decrypted form. At that, the disk contains its encrypted copy. The main purpose of this Trojan is to log keystrokes and to collect information about the system. Besides, the keylogger module sends data from the clipboard history to virus makers. Trojan.PWS.Spy.19338 can run programs with or without their intermediate save on the disk. Every module of the Trojan performs its own functions.
All information sent by Trojan.PWS.Spy.19338 to the server is encrypted first with the RC4 algorithm and then—with XOR. The Trojan saves logged keystrokes on the disk as a special file and transmits its content to the server every minute. The Trojan also sends the name of the window the keystrokes in which were logged. The malicious program monitors the user activity in the following applications:
- 1C version 8
- 1C version 7 and 7.7
- SBIS++
- Skype
- Microsoft Word
- Microsoft Excel
- Microsoft Outlook
- Microsoft Outlook Express and Windows Mail
- Mozilla Thunderbird
Dr.Web Anti-virus detects and removes all the above-mentioned malware programs. Therefore, they do not pose any thereat to our users. Doctor Web specialists would like to thank Yandex for providing the Trojan’s sample for research.
Read more: Doctor Web examined new spyware targeting accounting programs
