Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.MonsterInstall.2

Added to the Dr.Web virus database: 2019-03-29

Virus description added:

SHA1:

  • 21d6f7980e6b1383c0cc813bfc003f2adf51eb74 (start.js)
  • 52e021f47f487e58d9a8edfb887925e2e75be256 (update.js)
  • 980f067ce3976a3f40e1a39e1bc8b74c3849f91e (startDll.dll)
  • d337eeefdf45055a1e3fbf26abe7ca8eb5c2295a (updateDll.dll)
  • b6a9db83a915494fa0b22cd116ec26cbe4d166ce (ESP чит для КС ГО.exe)

Description

One of the MonsterInstall trojan components. The malware is written in JavaScript and C++ and functions as a backdoor. js-scripts are launched by an executable Node.js file.

Operating routine

It installs itself in the system into the C:\Windows\Reserve Service directory and runs as a service.

ESP чит для КС ГО.exe

Located at: https://proplaying[.]ru/load/counter_strike_global_offensive/cs_go_chity/rage_chit_dlja_cs_go/27-1-0-1993

The trojan creates a mutual exclusion named "cortelMoney-suncMutex” on the user’s device and reads its parameters from the ([HKLM\Software\Microsoft\Windows Node]) registry. After that, it unzips the contents of the data.bin file to the %WINDIR%\WinKit\ directory and installs a service to launch start.js.

start.js

The trojan loads the startDll.dll library and calls its exported function “mymain”.

update.js

The trojan loads the updateDll.dll library and calls its exported function “mymain”.

starter.dll.dll

A library with one exported function called “mymain”.

The trojan creates a mutual exclusion named "cortelMoney-suncMutex” on the user’s device and reads its parameters from the ([HKLM\Software\Microsoft\Windows Node]) registry.

Then it launches %WINDIR%\WinKit\msnode %WINDIR%\WinKit\update.js, and stops the "Windows Node” service.

updateDll.dll

A library with one exported function called “mymain”. The trojan sends requests to google.com, yahoo.com, and facebook.com every 10 seconds until it receives “code 200” in response. It then sends a POST request to the http://s44571fu[.]bget[.]ru/CortelMoney/enter.php server with the following configuration data:

{"login":"NULL","mainId":"PPrn1DXeGvUtzXC7jna2oqdO2m?WUMzHAoM8hHQF","password":"NULL","source":[0,0,0,0],"updaterVersion":[0,0,0,0],"workerVersion":[0,0,0,0]} 

For basic authentication it uses the pair “cortel:money”, where the User-Agent is "USER AGENT".

The server’s response:


{
    "login": "240797",
    "password": "tdzjIF?JgEG5NOofJO6YrEPQcw2TJ7y4xPxqcz?X",
    "updaterVersion": [0, 0, 0, 115],
    "updaterLink": "http:\/\/s44571fu.bget.ru\/CortelMoney\/version\/0-0-0-115-upd.7z",
    "workerVersion": [0, 0, 3, 0],
    "workerLink": "http:\/\/s44571fu.bget.ru\/CortelMoney\/version\/0-0-3-0-work.7z"
}

For basic authentication of future requests the login:password provided by the server will be used. If the trojan’s current version is older than the one the server suggests, the trojan downloads the newest one using the provided link.

The trojan unzips the archive in the %WINDIR%\WinKit\<updaterVersion>\ directory where <updaterVersion> is the “updaterVersion” parameter from the first server response converted into a string.

The trojan stops and deletes the "Windows Node Guard” service. After that it creates it again and changes the executable file to a file of the "Windows Node” service. Then it stops and deletes the "Windows Node” service, creates its copy and changes the executable file to daemon\service.exe. The trojan creates it in the same directory file “service.xml”:

<service><id>service.exe</id><executable>C:\Windows\WinKit\0.0.0.115\msnode.exe</executable><arguments>"C:\Windows\WinKit\0.0.0.115\start.js"</arguments></service>

Then the trojan unzips the worker file into the %WINDIR%\WinKit\SystemNode\ folder and runs %WINDIR%\WinKit\SystemNode\sysnode %WINDIR%\WinKit\SystemNode\main.js.

service.exe

A build of the “winsw” utitily. It uses an xml-file with parameters.

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android