Installation
This trojan may be installed by other malware.
The trojan drops either a copy or a variant of itself on your PC. We have seen it drop itself using the following file names and locations:
Some variants will make themselves run every time you start your PC.
Older variants might modify the following registry entry to do this:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<system service name>", for example "WindowsNetworkingMonitoring"
With data: "<location of malware file>", for example "<system folder>\mdm.exe"
More recent variants (as of September, 2014), might instead register themselves as services. They modify or create the following registry keys:
-
HKLM\SYSTEM\CurrentControlSet\Services\RaS<four random characters>\Parameters
-
HKLM\SYSTEM\CurrentControlSet\Services\<
system service name>\Parameters
-
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
And then set one of the following values as the name of the service:
-
<name of the dropped copy of the malware>
-
ImagePath
-
McpRoXy
-
netsvcs
-
ServiceDll
-
Soundmax
-
SysIns
-
WindowsNetworkingMonitoring
The data for the registry entry will be the location of the malware file.
For example, it might look like this:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost
Sets value: "WindowsNetworkingMonitoring"
With data: "%USERPROFILE%\WindowsNetworkingMonitoring.dll"
Payload
Changes security settings
The trojan changes the registry to change your PC's security settings. These changes allow the remote attacker to open a backdoor on your PC:
In subkey: HKLM\Software\Microsoft\OLE
Sets value: "EnableDCOM"
With data: "n"
In subkey: HKLM\Software\System\CurrentControlSet\Lsa
Sets value: "restricanaonymous"
With data: "1"
Changes Internet Explorer start page
It can also change the Internet Explorer start page by changing your registry:
In subkey: HKCU\Software\Microsoft\InternetExplorer\Main
Sets value: "Start Page"
With data: "http://www.dbsarticles.com"
The new start page might install other malware or ads onto your PC.
Opens a back door into your PC
Some variants might create a process named McpRoXy.exe, which creates a back door to communicate with a remote server. The configuration information may be saved as one of the following files:
The trojan can connect to an IRC server named tap.radioprishtina.net using TCP port 2345. Once connected, it can wait for commands from a remote malicious hacker, which include instructions to download and run other files, including malware.
Some variants try to communicate to the following IP or domain:
-
360.homeunix.com
-
111.68.9.93
-
ad04.bounceme.net
-
ftp1.ftpaccess.cc
-
ftp2.homeunix.com
They'll use either port 80 or port 443 to try to disguise the connections as normal Internet traffic on your PC.
Additional information
The trojan can create a mutex named similar to rat_UnInstall. This could be an infection marker to prevent more than one copy of the threat running on your PC.
Analysis by Carmen Liang
