FOR CUSTOMERS

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.LoadMoney.336

Added to the Dr.Web virus database: 2014-09-29

Virus description added:

SHA1 6b5f94b5a1d28441253b19f36322c87f12420836

An installer of adware and other malicious programs. It is distributed through various file-sharing resources controlled by cybercriminals. The distribution scheme looks as follows: if the user attempts to download some file, they are redirected to a website from which Trojan.LoadMoney.336 is downloaded to the computer. Once launched, the Trojan connects to a remote server and receives a configuration file. The file contains links to different affiliate applications that the Trojan downloads and runs on the infected computer.

After the Trojan is launched, it runs a search for the %EXENAME%:tmp and %EXENAME%.tmp files (however, it should be noted that Trojan.LoadMoney.336 can operate even without these files). If any problems occur during this search, the malicious program uses two following debugging strings: “installer not found” and “error opening file installer file #”. Then the program removes the alternative Zone.Identifier thread to make its own launch easier and, using ShutdownBlockReasonCreate, prevents Windows from being shut down. If the user attempts to turn off the computer, the Trojan displays the following error message: “The updates are being downloaded and installed”. Once initialization is complete, Trojan.LoadMoney.336 waits while the mouse pointer becomes still, launches two own copies, and deletes the original file.

The Trojan gathers the following information regarding the infected computer and forwards it to cybercriminals:

  • OS version
  • Data on installed anti-virus software
  • Data on installed firewalls
  • Data on installed spyware
  • Video card model
  • RAM amount
  • Hard disks and partitions
  • OEM
  • Motherboard model
  • Screen resolution
  • BIOS version
  • Data on whether the current Windows user account has administrator privileges
  • Data on availability of applications that support files with the .torrent extension
  • Data on availability of applications that can open magnet links

Then Trojan.LoadMoney.336 sends a GET request to the command and control server and, in return, receives a decrypted package containing links to files.

Affiliate applications are downloaded via a separate thread. First, the Trojan extracts a URL from the configuration file and sends a corresponding HEAD request to that URL. If the request returns 405 (Method Not Allowed) or 501 (Not Implemented), the Trojan repeats the GET request. If the link to the target file is valid, the malicious program extracts the data on the file name and length from the reply and initiates the download of the application.

The reply from the server can contain various configuration data, including information on the dialog window that is displayed before applications get installed on the system:

{
    "checks":[
        {"b":[{
            "l":"http://sputnikmailru.cdnmail.ru/mailruhomesearchvbm.exe?rfr=profitraf1|http://****.ru/homesearch.exe?etag=1c6cdcee2ae02ba7fabce71834b7e90b|http://****.ru/homesearch.exe?etag=1c6cdcee2ae02ba7fabce71834b7e90b",
            "a":"--silent --without-updater --rfr=profitraf1 --partner_homepage=http://****.ru/software_install?hetag=1c6cdcee2ae02ba7fabce71834b7e90b&guid=$__GUID&sig=$__SIG&hash=HASH&ovr=$__OVR&browser=$__BROWSER&file_id=69643849&ext_partner_id=&did=2199397647&start=1&label=profitraf1 --mpcln=9516 --partner_dse=http://****.ru/software_install?hetag=1c6cdcee2ae02ba7fabce71834b7e90b&guid=$__GUID&sig=$__SIG&hash=HASH&ovr=$__OVR&browser=$__BROWSER&file_id=69643849&did=2199397647&search=1&ext_partner_id=&label=profitraf1 /partner_vbm=http://***.ru/software_install?hetag=1c6cdcee2ae02ba7fabce71834b7e90b&guid=$__GUID&sig=$__SIG&hash=HASH&ovr=$__OVR&browser=$__BROWSER&file_id=69643849&did=2199397647&visualbookmarks=1&ext_partner_id=&label=profitraf1 --partner_toolbar=http://****.ru/software_install?hetag=1c6cdcee2ae02ba7fabce71834b7e90b&guid=$__GUID&sig=$__SIG&hash=HASH&ovr=$__OVR&browser=$__BROWSER&file_id=69643849&did=2199397647&toolbar=1&ext_partner_id=&label=profitraf1",
            "r":"HKEY_CURRENT_USER\\Software\\Mail.Ru\\homesearch\\nb_lifetime|1438100243"
            }],
        "y":201,
        "x":60
        },
        {"b":[{
            "l":"http://****.ru/AmigoDistrib.exe?rfr=blackbear1|http://****.ru/amigo.exe?etag=1c6cdcee2ae02ba7fabce71834b7e90b|http://****.ru/amigo.exe?etag=1c6cdcee2ae02ba7fabce71834b7e90b",
            "a":"--silent --rfr=blackbear1 --ua_rfr=CHANNEL_blackbear1 --make-default=1 --partner_new_url=http:// ******.ru/software_install?hetag=1c6cdcee2ae02ba7fabce71834b7e90b&guid=$__GUID&sig=$__SIG&hash=HASH&hsig=$__HWSIG&ovr=$__OVR&file_id=69643849&ext_partner_id=&did=2199397647&amigo=1&label=blackbear1",
            "r":"HKEY_CURRENT_USER\\Software\\Microsoft\\Amigo\\nb_lifetime|1438100243"
            }],
        "y":216,
        "x":60}
    ],
    "download":{"t":"BUTTON"},
    "expand":{
        "normal":[{"s":268436482,"x":60,"y":231,"w":13},{"s":402654210,"x":60,"y":231,"w":13},{"t":"STATIC","s":402653184,"c":"Стандартные параметры","x":75,"y":230},{"c":"Установить стартовую страницу и поиск @mail.ru","t":"STATIC","s":402653184,"x":75,"y":200},{"x":60,"y":201,"s":402654211,"w":13},{"c":"Установить браузер Амиго и сделать его основным","t":"STATIC","s":402653184,"x":75,"y":215},{"x":60,"y":216,"s":402654211,"w":13}],
        "expand":[{"t":"STATIC","s":268435472,"w":419,"h":2,"x":0,"y":169},{"t":"SysLink","c":"Установить стартовую страницу и поиск @mail.ru","y":200,"x":75},{"t":"SysLink","c":"Установить браузер Амиго и сделать его основным","y":215,"x":75}],
        "h":256
    },
    "h":256,
    "open":{
        "t":""
    }
}

Apart from gathering data on the infected system, the Trojan can check whether other malicious programs (such as Trojan.BPlug.116 and Trojan.Triosir) are installed on the compromised computer.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies