Trojan.MulDrop7.19268

Technical Information

Malicious functions:

Executes the following:

'%TEMP%\CmdLineExtInstallerExe.exe'

Registers COM server:

[<HKLM>\SOFTWARE\Classes\CLSID\{F0407C3D-349C-42b9-B83E-821E31623DF9}\InprocServer32] '' = '<SYSTEM32>\CmdLineExt.dll'
[<HKLM>\SOFTWARE\Classes\CLSID\{9869EFB4-18E9-11D3-A837-00104B9E30B5}\InprocServer32] '' = '<SYSTEM32>\CmdLineExt.dll'

Searches for windows to

detect analytical utilities:

ClassName: 'PROCEXPL', WindowName: 'Process Explorer - SysInternals: www.sysinternals.com [CRNJEUFU\URNXYMAV]'
ClassName: 'FileMonClass', WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
ClassName: 'PROCMON_WINDOW_CLASS', WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
ClassName: 'PROCEXPL', WindowName: ''
ClassName: 'pediy06', WindowName: ''
ClassName: 'OLLYDBG', WindowName: ''
ClassName: 'APIMonitor By Rohitab', WindowName: ''
ClassName: 'TIdaWindow', WindowName: ''

Modifies file system:

Creates the following files:

%APPDATA%\SecuROM\UserData\securom_v7_01.bak
%APPDATA%\SecuROM\UserData\securom_v7_01.dat
%APPDATA%\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
%TEMP%\drm_dialogs.dll
%APPDATA%\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
<SYSTEM32>\CmdLineExt.dll
%TEMP%\CmdLineExtInstallerExe.exe
%TEMP%\drm_dyndata_7330016.dll
%APPDATA%\SecuROM\UserData\securom_v7_01.tmp
%APPDATA%\SecuROM\UserData\readme.txt

Sets the 'hidden' attribute to the following files:

%APPDATA%\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
%APPDATA%\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
%APPDATA%\SecuROM\UserData\securom_v7_01.bak

Deletes the following files:

<SYSTEM32>\d3d9caps.dat
%TEMP%\CmdLineExtInstallerExe.exe

Miscellaneous:

Searches for the following windows:

ClassName: 'ReBarWindow32' WindowName: ''
ClassName: 'ToolbarWindow32 ' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: '#32770' WindowName: 'Task Explorer II - by Ntoskrnl'
ClassName: '#32770' WindowName: 'Atiptool'
ClassName: 'File Monitor - Sysinternals: www.sysinternals.com' WindowName: 'FileMonClass'
ClassName: 'ThunderRT6FormDC' WindowName: 'Settings'
ClassName: '' WindowName: 'APIMonitor By Rohitab'
ClassName: 'ThunderRT6Main' WindowName: 'Pr0t.St0p v1.0'
ClassName: 'ThunderRT6Main' WindowName: 'SD4 Sucks v0.10 by Joseph Cox'
ClassName: 'ToolbarWindow32?' WindowName: ''
ClassName: 'ThunderRT6FormDC' WindowName: 'Pr0t.St0p v1.0'
ClassName: 'TApplication' WindowName: '<File name>'
ClassName: 'ThunderRT6Main' WindowName: 'SysAnalyzer'
ClassName: 'c1' WindowName: 'KaKeeware Application Monitor 1.21'
ClassName: 'c3' WindowName: 'API Functions'
ClassName: 'TMainForm' WindowName: 'PEBrowse Professional Interactive'
ClassName: 'PEBrowse Professional Interactive' WindowName: 'TMainForm'
ClassName: 'cuteProgressClass' WindowName: ''
ClassName: 'SysPager' WindowName: ''
ClassName: 'ToolbarWindow32' WindowName: ''
ClassName: 'JCDSPY_NT_001' WindowName: 'DriverspyNT v1.20. (c)2001,2002 Collake Software'
ClassName: 'TrayNotifyWnd' WindowName: ''
ClassName: 'ApiLogger' WindowName: 'ThunderRT6Main'
ClassName: 'ThunderRT6Main' WindowName: 'Process Analyzer - right click on a process to access menu'
ClassName: 'SysAnalyzer' WindowName: 'ThunderRT6Main'
ClassName: 'ThunderRT6Main' WindowName: 'ApiLogger'
ClassName: 'Process Analyzer - right click on a process to access menu' WindowName: 'ThunderRT6Main'
ClassName: 'ThunderRT6Main' WindowName: 'SysAnalyzer Configuration Wizard'
ClassName: 'SysAnalyzer Configuration Wizard' WindowName: 'ThunderRT6Main'
ClassName: 'ThunderRT6Main' WindowName: 'sniff_hit'
ClassName: 'sniff_hit' WindowName: 'ThunderRT6Main'
ClassName: 'SafeDisc4 Hider 1.1 ? 2005 SKULL' WindowName: 'Tsd4hideform'
ClassName: 'ThunderRT6Main' WindowName: 'SR7.Stop v1.1'
ClassName: 'ThunderRT6FormDC' WindowName: 'SR7.Stop v1.1'
ClassName: 'ThunderRT6Main' WindowName: 'SR7Stop'
ClassName: 'ThunderRT6Main' WindowName: 'SR7.Stop v1.2'
ClassName: '' WindowName: '[ LordPE Deluxe ] by yoda'
ClassName: '[ LordPE Dumper Server ]' WindowName: ''
ClassName: '#32770' WindowName: '[ LordPE Deluxe b ] by yoda'
ClassName: '[ LordPE Deluxe ] by yoda' WindowName: ''
ClassName: '' WindowName: '[ LordPE Dumper Server ]'
ClassName: 'Lbr68' WindowName: ''
ClassName: 'icu_dbg' WindowName: ''
ClassName: '18467-41' WindowName: ''
ClassName: 'SHADOW' WindowName: ''
ClassName: 'kk1' WindowName: ''
ClassName: '#32770' WindowName: 'Starforce Nightmare'
ClassName: 'Virtual-CD-Hide' WindowName: 'Virtual-CD-Hide'
ClassName: 'WispWindowClass' WindowName: 'Syser [Ctrl+F12]'
ClassName: 'ThunderRT6Main' WindowName: 'Anti-Blaxx'
ClassName: '[ LordPE Deluxe b ] by yoda' WindowName: '#32770'
ClassName: 'SafeDisc4 Hider' WindowName: 'TApplication'
ClassName: 'TForm1' WindowName: 'SafeDisc4 Hider 1.0 ? 2005 SKULL'
ClassName: 'BusTrace Status' WindowName: '#32770'
ClassName: 'TApplication' WindowName: 'SafeDisc4 Hider'
ClassName: 'Tsd4hideform' WindowName: 'SafeDisc4 Hider 1.1 ? 2005 SKULL'
ClassName: 'SafeDisc4 Hider 1.0 ? 2005 SKULL' WindowName: 'TForm1'
ClassName: '#32770' WindowName: 'STARFUCK TOOL'
ClassName: 'STARFUCK TOOL' WindowName: '#32770'
ClassName: '#32770' WindowName: '[ LordPE RoyalTS ] by yoda'
ClassName: '[ LordPE RoyalTS ] by yoda' WindowName: '#32770'
ClassName: 'TForm1' WindowName: 'Fucker of CDROM Protections v0.81 Beta'
ClassName: 'Fucker of CDROM Protections v0.83 Beta' WindowName: 'TForm1'
ClassName: '#32770' WindowName: 'BusTrace Status'
ClassName: 'Fucker of CDROM Protections v0.81 Beta' WindowName: 'TForm1'
ClassName: 'TForm1' WindowName: 'Fucker of CDROM Protections v0.83 Beta'

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial