Installation
Win32/Moudoor
may arrive on your PC bundled with a legitimate program.
It drops a loader component using one of the following file names:
This is the malware loader component responsible for dropping and loading the main DLL component. The loader installed the DLL component with any of the following file names:
It modifies the following registry entries so that it runs each time you start your PC:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "%TEMP%\<malware file>", for example, "C:\Users\<user name>\AppData\Local\Temp\antivir.exe"
In subkey: HKLM\SOFTWARE\\Microsoft\Windows\CurrentVersion\policies\Explorer\run
Sets value: "<malware value>"
With data: "%TEMP%\<malware file>", for example, "C:\Users\<user name>\AppData\Local\Temp\antivir.exe"
Where <malware value> can be any of the following:
-
Microsoft Update
-
SunUpdate
-
SymantecLiveUpdate
-
SymantecUpdate
It uses a mutex to ensure that only instance of the trojan is running at a time. Variants of Win32/Moudoor have been known to use the following names when creating the mutex:
-
IEPASS
-
UpdateWindow
-
Update-Window
Payload
Steals sensitive data
Win32/Moudoor tries to gather the following data from your PC:
-
RAS (remote access service) credentials
- System version information, for example, the version of your operating system
- Details of your security software
It can also log you keystrokes and take snapshots of your PC.
The stolen information is saved as an encoded file in <system folder> with a file name in the format of "KB<number>.dat", for example "<system folder>\KB1035627.dat".
Allows backdoor access and control
Win32/Moudoor tries to connect to the malicious hacker's server via port 80, 443, or 53 to report the infection and receive further instructions.
We have seen variants connect to the following domains:
-
134.255.242.47
-
211.43.220.10
-
219.90.117.132
-
58.64.155.57
-
58.64.155.59
-
58.64.199.25
-
apples.suroot.com
-
bbs.aspserver.net
-
book.flnet.org
-
hahadoctor.chickenkiller.com
-
icybin.flnet.org
-
justagoodmove.jumpingcrab.com
-
justfor7day.ignorelist.com
-
kissnada58.chatnook.com
-
kulikuciu.flnet.org
-
kulikuciu.strangled.net
-
lingpiii.freecapperor.com
-
me.scieron.com
-
melodymonthly.ignorelist.com
-
naverdorm.strangled.net
-
safebrow.flnet.org
-
site.darktech.org
-
ssl.scieron.com at
-
superm.suroot.com
-
taiwan.dtdns.net
-
topswebc.cht.com.tw
-
updates.etowns.net
-
usa-mail.scieron.com
-
usc-data.suroot.com
-
webxxx.suroot.com
-
www2.yahooeast.net
-
yiwan.dyndns-server.com
Once connected, the malicious hacker can perform the following actions on your PC:
- Download and run updates, or other files, including malware
- List all services, processes, and drives - this list is saved to a file and then sent to the malicious hacker
- Open/close CD drives
- Shutdown or reboot your PC
- Stop processes and services that may be related to your security software, such as the following:
-
360sd.exe
-
360tray.exe
-
ashdisli.exe
-
avcenter.exe
-
avli.exe
-
egui.exe
-
knsdtray.exe
-
kvmonxli.exe
-
kxetray.exe
-
mcshield.exe
-
ravmond.exe
-
tmbmsrv.exe
At the time of analysis, the remote server was inaccessible and we are unable to confirm the malware files that Win32/Moudoor downloads.
