Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.MulDrop6.42771

Added to the Dr.Web virus database: 2016-06-01

Virus description added:

SHA1:

  • aef75ada634aa2b2447a3a6502645b74b1e9e018
  • 06362b7e8a9cf9bee2da7350b5770a5fa4bb4048
  • 5072a9b3667b14860cccb2212ba7f0570b75bea2
  • 8284b2a55d615981d8019bc83c1aab59fe7d2fd6

A dropper Trojan for Windows designed to install malware. Its code contains a lot of random lines and function calls, which makes it harder to analyze the Trojan, and its library is hidden among resources of Trojan.MulDrop6.42771 in the form of an image (bitmap). The main library is packed with MPRESS and contains the configuration file with a payload and a script. The configuration file has several line separators such as "MnSplt", "BMSplt", "DMSplt", "BSSplt”, and "DSSplt”, which determine whether some options are available or not.

screen Trojan.MulDrop6.42771 #drweb

The Trojan can show random text messages on the screen using MessageBox and identify the presence of the following debugging tools:

  • The SbieDll.dll module—in the memory
  • VMWare
  • VirtualBox—by availability of the HKLM\HARDWARE\ACPI\DSDT\VBOX__ key
  • Debugging tool by the PEB.NtGlobalFlag flag
  • Process Monitor—using the FindWindow("PROCMON_WINDOW_CLASS”) function
  • Process Explorer—using the FindWindow("PROCEXPL”) function

If it detects any of them, the Trojan terminates its operation.

It also uses the CMD command to disable the Windows user accounts control (UAC):

cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

The configuration file stores the information about the installation path and the name of the Trojan. The installation path can be selected using the folowing environmental variables: Temp, process_folder, SystemDrive, windir, windir_system32, programfiles, appdata, and userprofile. The Trojan uses seven different ways to enable its autorun in the system—how the Trojan will be launched is stipulated in its configuration file.

  1. The C:\Users\<username>\AppData\Local\Temp\<file name>.txt file with the Trojan’s body and the C:\Users\<username>\AppData\Local\Temp\<file name>.vbs script, which decrypts and runs the first file, are created in a temporary folder. Names of these files are retrieved from the configuration file. The dropper’s library resources store the script template containing the file’s location path that is changed before saving. The <file name>.vbs script is saved to the autorun folder. In the temporary folder, the cpy.vbs script is created. It looks as follows:
    Dim FSO
    Set FSO = CreateObject("Scripting.FileSystemObject")
    FSO.CopyFile "C:\Users\<username>\AppData\Local\Temp\<filename>.vbs", "C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<filename>.vbs" , 1
    strUs = Wscript.ScriptFullName
    FSO.DeleteFile("C:\Users\<username>\AppData\Local\Temp\<filename>.vbs")
    FSO.DeleteFile(strUs)
    where <filename> is the name of the file specified in the configuration file.
    Once the script is created, it is executed. VBS files in the autorun folder and TXT files in the temporary folder are appended with the “Read Only”, “Hidden”, and “System” attributes.
  2. The branch of the system registry is modified:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    "Shell"="explorer.exe, <path>"
    where <path> is a location path of the Trojan.
  3. The branch of the system registry is modified:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe, <path>"
    where <path> is a location path of the Trojan.
  4. The branch of the system registry is modified:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  5. The branch of the system registry is modified:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  6. The branch of the system registry is modified:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  7. The Trojan copies itself to root folders of all connected drives and creates the autorun.inf file:
    [autorun]
    shellexecute=<path>
    where <path> is a location path of the Trojan.

To place the Trojan to a target folder and to execute autorun using the registry, the following script is applied:

Dim FSO
Set FSO = CreateObject("Scripting.FileSystemObject")
FSO.CopyFile "<path 1>", ""<path 2><filename>.exe" , 1
strScript = Wscript.ScriptFullName
FSO.DeleteFile(strScript)
where <path 1> is the location path of the original file, <path 2> is the path to a new location of the Trojan, and <filename> is the name of the file specified in the configuration file.

The Trojan can be optionally run with BATCH file:

PING 127.0.0.1 -n 2
start "" "<path 2><filename>.exe"
del %0
exit
where <path 2> is the location of the file, <filename> is the name of the file specified in the configuration file.

The payload can be launched using six different methods:

  1. To get access to the default browser, the Trojan reads the value of the HKEY_CLASSES_ROOT\http\shell\open\command key. Then it creates a new suspended process and incorporate itself in its image. If the WOW64 subsystem is used, the Trojan modifies the path to the browser replacing “Program Files\” with “Program Files (x86)\”. Then the Trojan allocates some memory for the downloader’s image, places the payload there and runs the process.
  2. Allocates the memory for the downloader’s image, places the payload there and configures imports. Then it calls the DllEntry function to load the library to the memory. After that, the Trojan checks this library for the LoadDotNetPE export, reads the data array from the configuration file, copies it to a separate memory, and transfers it to LoadDotNetPE.
  3. Loads the payload to the memory in the form of a dynamic library by calling the DllEntry function.
  4. Saves the payload to the disk and at the path specified in the Trojan’s configuration and executes it.
  5. Downloads the payload from the network, saves it to the disk and at the path specified in the Trojan’s configuration and executes it.
  6. Executes the payloads in its process. If it fails to free some disk space, the process is terminated. It checks for the presence of the TLS application in the image. If successful, a memory page is allocated, and its address is placed to TEB.ThreadLocalStorage (fs:[0x2C]). Then the Trojan scans the image from its end to the beginning for the following instruction:
    648B152C000000 mov edx,fs:[00000002C]
    The content of the instruction is changed to mov edx,<previously allocated memory page>, adding two nop commands. Then it passes control to the input point.

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android