Trojan.DownLoader5.1437

Technical Information

To ensure autorun and distribution:

Creates or modifies the following files:

%WINDIR%\Tasks\SA.DAT

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\Schedule] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\mtsodfdss] 'Start' = '00000002'

Malicious functions:

Creates and executes the following:

<SYSTEM32>\Macromadendt\cflpsv.exe /service
<SYSTEM32>\Macromadendt\MsShellExt\filpsy.exe
<SYSTEM32>\NteofSys\Setup.exe 297

Executes the following:

<SYSTEM32>\at.exe 7:30 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 7:15 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 8:00 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 8:30 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 8:15 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 6:00 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 5:30 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 6:15 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 7:00 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 6:30 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 9:00 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 11:15 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 11:00 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 11:30 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 12:15 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 12:00 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 9:30 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 9:15 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 10:00 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 10:30 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 10:15 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 0:30 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 0:15 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 1:00 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 1:30 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 1:15 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\net1.exe start mtsodfdss
<SYSTEM32>\regsvr32.exe "<SYSTEM32>\NteofSys\ThunderWeb.dll" /s
<SYSTEM32>\sc.exe config Schedule start= AUTO
<SYSTEM32>\at.exe 0:00 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\net1.exe start Schedule
<SYSTEM32>\at.exe 2:00 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 4:15 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 4:00 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 4:30 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 5:15 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 5:00 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 2:30 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 2:15 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 3:00 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 3:30 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"
<SYSTEM32>\at.exe 3:15 /every:M,T,W,Th,F,S,Su "<SYSTEM32>\Macromadendt\filpsy.exe"

Modifies file system :

Creates the following files:

<SYSTEM32>\Macromadendt\MsShellExt\fxdapta.ini
<SYSTEM32>\NteofSys\tlk.dll
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\ifcab[1].htm
<SYSTEM32>\Macromadendt\MsShellExt\mseumdata.ini
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\gt[1].asp
<SYSTEM32>\NteofSys\ntetask.txt
<SYSTEM32>\NteofSys\ThunderWeb.dll
<SYSTEM32>\NteofSys\Setup.exe
<SYSTEM32>\NteofSys\ntemain.txt
<SYSTEM32>\NteofSys\ntesys.ini
<SYSTEM32>\NteofSys\ntesvc.txt

Deletes the following files:

%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\ifcab[1].htm
<SYSTEM32>\Macromadendt\MsShellExt\fxdapta.ini

Network activity:

Connects to:

'rw.###lhappy.info':80

TCP:

HTTP GET requests:

rw.###lhappy.info/page/gt.asp?ve#################################################################################################################################
rw.###lhappy.info/page/ifcab.htm

UDP:

DNS ASK rw.###lhappy.info
'<Private IP address>':1034

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: ''

Your browser is obsolete!

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial

Doctor Web in social networks

For Telegram

Other Dr.Web resources