Trojan:Win32/Matsnu is malware that can perform certain actions based on instructions from a remote server. It also changes certain computer settings.

System changes

The following system changes may indicate the presence of this malware:

• You cannot open Registry Editor or Task Manager
• Important system files may be missing or seem to have been deleted

Trojan:Win32/Matsnu is malware that can perform certain actions based on instructions from a remote server. It also changes certain computer settings.

Installation

Trojan:Win32/Matsnu creates copies of itself in the <system folder> and %Temp% folders. Its copy is named based on your computer's system volume information and is 20 characters long.

It changes the system registry so that it automatically runs at every Windows start:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\<malware file name>.exe,"

Payload

Connects to a remote server

Trojan:Win32/Matsnu connects to certain servers to receive instructions and configuration information. It can be instructed to:

• Take screenshots of what windows are currently open on your desktop
• Get system location and operating system version
• Get other URLs to connect to
• Update itself
• Run arbitrary commands on your computer
• Delete important system files in your computer, which may then render your computer unusable

Change computer settings

Trojan:Win32/Matsnu changes settings, depending on what version of Windows you are running.

If you are running Windows XP, it performs the following changes:

Disables registry tools and prevents you from running Registry Editor:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "1"

Disables Task Manager:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "1"

Disables Safe Boot Mode:

Deletes subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot

Sets another program to run alongside System Configuration or Registry Editor:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
Sets value: "Debugger"
With data: "p9kdmf.exe"

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Sets value: "Debugger"
With data: "p9kdmf.exe"

Allows the malware file to bypass the firewall:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<malware file name>"
With data: "<malware file name>:*:enabled:wsctrl"

Trojan:Win32/Matsnu also deletes files from the system restore cache, preventing you from restoring your computer to a defined restore point.

If you are running Windows 7, it performs the following change, which disables registry tools, including Registry Editor:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "0100000"

Additional information

Trojan:Win32/Matsnu checks if its file name contains the strings "sand" or "-box". If it does, Trojan:Win32/Matsnu does not run.

Analysis by Matt McCormack

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

• Microsoft Security Essentials
• Microsoft Safety Scanner

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Removing a program exception

This threat may add a malware program to the Windows Firewall exception list. To remove the program exception, follow these steps:

For Windows XP:

1. Use an administrator account to log on.
2. Click Start, select Run, type wscui.cpl, and then click OK.
3. In Windows Security Center, click Windows Firewall.
4. On the Exceptions tab, click on the malware file name and then click Delete.
5. Click OK.

Enabling registry editor

This threat may modify the computer to prevent Registry Editor from running. To enable Registry Editor in your computer, please do the following:

1. Run a command prompt. Click Start>Run and type cmd.
2. In the command prompt, type the following as is and press Enter:
   reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
3. Type exit at the command prompt.

Additional remediation instructions for Trojan:Win32/Matsnu

This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s:

• Restoring your System Registry:
  • For Windows 7: http://windows.microsoft.com/en-us/windows7/Back-up-the-registry
  • For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Back-up-the-registry
  • For Windows XP: http://support.microsoft.com/kb/322756/
• Enabling Task Manager:
• For Windows XP: http://support.microsoft.com/kb/913623/
• Enabling System Restore:
• For Windows XP: http://support.microsoft.com/kb/310405
• For other support and help related articles, go to:
  • Windows 7: http://support.microsoft.com/gp/windows7
  • Windows Vista: http://support.microsoft.com/ph/11732
  • Windows XP: http://support.microsoft.com/ph/1173
• Microsoft Security TechNet Center: http://technet.microsoft.com/security/default.aspx