Trojan.MulDrop7.34951

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'kiss770.cn' = '<Full path to file>'

Malicious functions:

Executes the following:

'<SYSTEM32>\net.exe' user ЧчХЯєЖєЖ506980714 30333¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user Administrator 9894¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user ЧчХЯєЖєЖ506980714 9894¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net.exe' user Administrator 30333¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user ЧчХЯєЖєЖ506980714 7711¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net.exe' user Administrator 27644¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user Administrator 7711¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net1.exe' user Administrator 30333¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user Administrator 19912¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user ЧчХЯєЖєЖ506980714 19912¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user Administrator 21726¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net1.exe' user Administrator 18716¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net1.exe' user ЧчХЯєЖєЖ506980714 19912¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net.exe' user Administrator 9894¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net1.exe' user ЧчХЯєЖєЖ506980714 21726¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user Administrator 19912¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user ЧчХЯєЖєЖ506980714 27644¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user Administrator 12859¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user ЧчХЯєЖєЖ506980714 778¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user ЧчХЯєЖєЖ506980714 12859¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user Administrator 27644¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user Administrator 1842¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user ЧчХЯєЖєЖ506980714 1842¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user Administrator 778¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net1.exe' user ЧчХЯєЖєЖ506980714 778¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user ЧчХЯєЖєЖ506980714 30333¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user ЧчХЯєЖєЖ506980714 9894¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net.exe' user Administrator 12859¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user ЧчХЯєЖєЖ506980714 12859¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user ЧчХЯєЖєЖ506980714 27644¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net.exe' user Administrator 778¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net1.exe' user Administrator 7711¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net1.exe' user ЧчХЯєЖєЖ506980714 7711¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user Administrator 29358¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net1.exe' user ЧчХЯєЖєЖ506980714 29358¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net.exe' user Administrator 29358¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user ЧчХЯєЖєЖ506980714 29358¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user ЧчХЯєЖєЖ506980714 28145¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net.exe' user Administrator 491¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user Administrator 28145¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user ЧчХЯєЖєЖ506980714 28145¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net.exe' user administrators ЧчХЯєЖєЖ506980714 /add
'<SYSTEM32>\shutdown.exe' -l
'<SYSTEM32>\net.exe' user Administrator 26500¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user ЧчХЯєЖєЖ506980714 26500¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user ЧчХЯєЖєЖ506980714 26500¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\logonui.exe' /status
'<SYSTEM32>\net1.exe' user Administrator 26500¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net1.exe' user administrators ЧчХЯєЖєЖ506980714 /add
'<SYSTEM32>\net.exe' user ЧчХЯєЖєЖ506980714 491¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net.exe' user Administrator 18716¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user ЧчХЯєЖєЖ506980714 18716¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user ЧчХЯєЖєЖ506980714 5436¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user ЧчХЯєЖєЖ506980714 153¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net.exe' user Administrator 21726¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user ЧчХЯєЖєЖ506980714 21726¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user ЧчХЯєЖєЖ506980714 18716¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user Administrator 153¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net1.exe' user ЧчХЯєЖєЖ506980714 491¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net.exe' user Administrator 5436¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net1.exe' user Administrator 28145¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net1.exe' user Administrator 491¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user Administrator 153¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????
'<SYSTEM32>\net.exe' user ЧчХЯєЖєЖ506980714 153¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net.exe' user ЧчХЯєЖєЖ506980714 5436¦Г¦Д¦И¦З§й§к§лҐе§‘§‘??????????? /add
'<SYSTEM32>\net1.exe' user Administrator 5436¦Г¦Д¦И¦З§й§к§лҐе§‘§‘???????????

Terminates or attempts to terminate

the following system processes:

<SYSTEM32>\net.exe

Attempts to shut down the Windows operating system.

Modifies file system:

Creates the following files:

%HOMEPATH%\ntuser.tmp

Sets the 'hidden' attribute to the following files:

%HOMEPATH%\ntuser.tmp

Deletes the following files:

%HOMEPATH%\ntuser.tmp

Miscellaneous:

Searches for the following windows:

ClassName: '' WindowName: 'sethc.exe'
ClassName: 'StatusWindowClass' WindowName: ''
ClassName: 'CSCHiddenWindow' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'Progman' WindowName: ''
ClassName: '' WindowName: 'taskmgr.exe'

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial