Trojan:Win32/Matcash.KU

Trojan:Win32/Matcash.KU is a trojan that contacts remote servers, displays pop up advertisements and downloads and runs other malware. Win32/Matcash may also masquerade as an "Internet Speed Monitor".

When Win32/Matcash is installed it may create folders and drop the following files:

%ProgramFiles%\inetget2\ismsetup venora2 (2600 aid=20 gab3).exe

%ProgramFiles%\ism\ism.exe
%ProgramFiles%\ism\bndloader.exe
%ProgramFiles%\ism\bnddrive7.dll
%ProgramFiles%\ism\uninstall.exe

%ProgramFiles%\ism2\ismpack7.exe

 

Right after installation, it may display a message box similar to the following:

 

 

The registry is modified to run Win32/Matcash at each Windows start.

Adds value: QdrPack13

With data: "%ProgramFiles%\qdrpack\qdrpack13.exe"

To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

 

Adds value: ISMPack7

With data: "%ProgramFiles%\ism2\ismpack7.exe"

To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

The installer will establish "bnddrive7.dll" as a Web Browser Helper Object (BHO) such that it will run whenever the default Web browser is launched. It contacts a remote Web server to display pop-up advertisements.

 

In order to install the DLL as a BHO, the installer adds numerous registry values with data, including the following:

Adds value: (default)           
With data: "bndshell3"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{59FA541D-4DE4-4182-84DF-8B6EC0E7F545}
Adds value: AppID"           
With data: "{59fa541d-4de4-4182-84df-8b6ec0e7f545}"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BndShell3.DLL
Adds value: (default)           
With data: "bndshell3 bho class"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndShell3.BHO.1
Adds value: (default)           
With data: "{8aba9a9c-8791-4d61-8d5b-bcc9448ea573}"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndShell3.BHO.1\CLSID
Adds value: (default)           
With data: "bndshell3 bho class"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndShell3.BHO
Adds value: (default)           
With data: "{8aba9a9c-8791-4d61-8d5b-bcc9448ea573}"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndShell3.BHO\CLSID
Adds value: (default)           
With data: "bndshell3.bho.1"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndShell3.BHO\CurVer
Adds value: (default)           
With data: "bndshell3 bho class"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}
Adds value: (default)           
With data: "bndshell3.bho.1"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}\ProgID
Adds value: (default)           
With data: "bndshell3.bho"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}\VersionIndependentProgID
Adds value: (default)           
With data: "%ProgramFiles%\ism\bnddrive7.dll"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}\InprocServer32
Adds value: (default)           
With data: "{dde3eca1-0352-4602-a719-154678216cc5}"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}\TypeLib

Adds value: (default)           
With data: "bndshell3 ie band"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndShell3.Band.1
Adds value: (default)           
With data: "{1ed6a320-8af3-4f06-868a-9ba95585712e}"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndShell3.Band.1\CLSID
Adds value: (default)           
With data: "bndshell3 ie band"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndShell3.Band
Adds value: (default)           
With data: "{1ed6a320-8af3-4f06-868a-9ba95585712e}"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndShell3.Band\CLSID
Adds value: (default)           
With data: "bndshell3.band.1"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndShell3.Band\CurVer
Adds value: (default)           
With data: "internet speed monitor"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1ED6A320-8AF3-4f06-868A-9BA95585712E}
Adds value: (default)           
With data: "bndshell3.band.1"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1ED6A320-8AF3-4f06-868A-9BA95585712E}\ProgID
Adds value: (default)           
With data: "bndshell3.band"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1ED6A320-8AF3-4f06-868A-9BA95585712E}\VersionIndependentProgID
Adds value: (default)           
With data: "%ProgramFiles%\ism\bnddrive7.dll"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1ED6A320-8AF3-4f06-868A-9BA95585712E}\InprocServer32
Adds value: (default)           
With data: "{dde3eca1-0352-4602-a719-154678216cc5}"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1ED6A320-8AF3-4f06-868A-9BA95585712E}\TypeLib
Adds value: (default)           
With data: "0"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1ED6A320-8AF3-4f06-868A-9BA95585712E}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
Adds value: (default)           
With data: "bndshell type library"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DDE3ECA1-0352-4602-A719-154678216CC5}\1.0
Adds value: (default)           
With data: "0"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DDE3ECA1-0352-4602-A719-154678216CC5}\1.0\FLAGS
Adds value: (default)           
With data: "%ProgramFiles%\ism\bnddrive7.dll"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DDE3ECA1-0352-4602-A719-154678216CC5}\1.0\0\win32
Adds value: (default)           
With data: "%ProgramFiles%\ism\"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DDE3ECA1-0352-4602-A719-154678216CC5}\1.0\HELPDIR
Adds value: BandInstalled"           
With data: "1"
To subkey: HKEY_CURRENT_USER\Software\BndDrive
Adds value: Installed"           
With data: "1"
To subkey: HKEY_CURRENT_USER\Software\amera

Adds value: DisplayName"           
With data: "internet speed monitor"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ISM

 

This trojan may contact a Web site named 'berlinads3.com' and downloads additional components.