A multicomponent Trojan that blocks access to the Internet on the infected computer. The main purpose of Trojan.Mayachok.1 is web injection; that is, injecting arbitrary content into web pages opened in the browser. The following browsers are supported: Mozilla Firefox, Microsoft Internet Explorer, Opera, Google Chrome, Safari, Maxthon.
Once the Trojan is launched on the infected computer, it creates in the system32 folder a library with a name generated using the serial number of the current hard drive partition. Then the Trojan clears the browser cache and modifies the Windows system registry to register the following library:
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] 'LoadAppInit_DLLs' = '00000001' [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] 'AppInit_DLLs' = '<SYSTEM32>\ %name%.dll'
Next, the malware restarts the computer.
Once the computer is restarted, the dynamic library decrypts the configuration file to the allocated memory. The library performs its functions only if it is uploaded to the process that imports ws2_32.dll. If the library is uploaded to the browser process, the Trojan initiates a special stream, which monitors the status of the parent window and performs web injections if the window title changes. Moreover, Trojan.Mayachok.1 attempts to download a new configuration file from remote command and control servers.