Trojan.MulDrop7.53979

Technical Information

To ensure autorun and distribution:

Substitutes the following executable system files:

<SYSTEM32>\msxml3r.dll with <SYSTEM32>\SET14.tmp
<SYSTEM32>\msxml3.dll with <SYSTEM32>\SET12.tmp

Infects the following executable files:

<SYSTEM32>\SET12.tmp

Modifies file system:

Creates the following files:

%CommonProgramFiles%\Microsoft Shared\SFPCA Cache\msxmlx.inf
%CommonProgramFiles%\Microsoft Shared\SFPCA Cache\mdacxmlx.inf
%CommonProgramFiles%\Microsoft Shared\SFPCA Cache\msxml3r.dll
%CommonProgramFiles%\Microsoft Shared\SFPCA Cache\msxmlx.cat
%WINDIR%\Installer\MSI9.tmp
%WINDIR%\inf\msxmlx.PNF
%WINDIR%\RegisteredPackages\{1D099D24-8FDF-46DD-9EA3-31D6E9A73E9F}\msxmlx.inf
<SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\msxmlx.CAT
%WINDIR%\inf\msxmlx.inf
%WINDIR%\Installer\MSI3.tmp
%WINDIR%\Installer\MSI4.tmp
%WINDIR%\Installer\MSI2.tmp
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.MAP
%WINDIR%\Installer\MSI6.tmp
%ProgramFiles%\LG Electronics\LGUP\model\8994\LGUP_8994.dll
%CommonProgramFiles%\Microsoft Shared\SFPCA Cache\msxml3.dll
%WINDIR%\Installer\MSI7.tmp
C:\Config.Msi\26019.rbs
<SYSTEM32>\SET14.tmp
%WINDIR%\Installer\MSI15.tmp
<SYSTEM32>\SET12.tmp
%WINDIR%\Temp\OLD13.tmp
%WINDIR%\Installer\MSI16.tmp
<SYSTEM32>\dllcache\msxml3.dll.new
<SYSTEM32>\dllcache\msxml3r.dll.new
%WINDIR%\Installer\2601a.msi
%WINDIR%\Installer\{4504D6ED-2584-4CCA-9B24-3B09277473DF}\ARPPRODUCTICON.exe
%WINDIR%\Temp\OLDD.tmp
%WINDIR%\RegisteredPackages\{1D099D24-8FDF-46DD-9EA3-31D6E9A73E9F}\msxml3.dll
%WINDIR%\RegisteredPackages\{1D099D24-8FDF-46DD-9EA3-31D6E9A73E9F}\msxmlx.cat
%WINDIR%\LastGood\TMPC.tmp
%WINDIR%\LastGood\TMPE.tmp
%CommonProgramFiles%\Microsoft Shared\dasetup\SET10.tmp
%WINDIR%\Temp\OLD11.tmp
%WINDIR%\Temp\OLDF.tmp
%WINDIR%\RegisteredPackages\{1D099D24-8FDF-46DD-9EA3-31D6E9A73E9F}\msxml3r.dll
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.DATA
%TEMP%\LGUP_8994_DLL_v0.0.4.4\Win\System\mfcm100u.dll
%TEMP%\LGUP_8994_DLL_v0.0.4.4\Win\System\msvcp100.dll
%TEMP%\LGUP_8994_DLL_v0.0.4.4\Win\System\mfc100u.dll
%TEMP%\LGUP_8994_DLL_v0.0.4.4\Win\System\mfcm100.dll
%TEMP%\LGUP_8994_DLL_v0.0.4.4\Win\System\msvcr100.dll
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
%WINDIR%\Installer\26017.msi
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
%TEMP%\LGUP_8994_DLL_v0.0.4.4\msxmlx.inf
%TEMP%\LGUP_8994_DLL_v0.0.4.4\setup.msi
%TEMP%\LGUP_8994_DLL_v0.0.4.4\mdacxmlx.inf
%TEMP%\LGUP_8994_DLL_v0.0.4.4\msxmlx.cat
%TEMP%\LGUP_8994_DLL_v0.0.4.4\msxml3.dll
%TEMP%\LGUP_8994_DLL_v0.0.4.4\program files\LG Electronics\LGUP\model\8994\LGUP_8994.dll
%TEMP%\LGUP_8994_DLL_v0.0.4.4\Win\System\mfc100.dll
%TEMP%\LGUP_8994_DLL_v0.0.4.4\msxml3a.dll
%TEMP%\LGUP_8994_DLL_v0.0.4.4\msxml3r.dll
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\$WinMgmt.CFG
%WINDIR%\Installer\26018.ipi
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\ComDb.Dat
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\domain.txt
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.BTR
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING1.MAP
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING2.MAP
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.MAP
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING.VER
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2052111302-484763869-725345543-1003
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2052111302-484763869-725345543-1003
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_.DEFAULT
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SYSTEM
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SAM
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SECURITY
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SOFTWARE

Sets the 'hidden' attribute to the following files:

<SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\msxmlx.CAT

Deletes the following files:

%WINDIR%\Installer\MSI15.tmp
%WINDIR%\Installer\MSI16.tmp
%WINDIR%\Installer\MSI9.tmp
%WINDIR%\Temp\OLD11.tmp
%TEMP%\mso5.tmp
%WINDIR%\Installer\26018.ipi
%TEMP%\2549e.msi
%WINDIR%\Installer\26017.msi
%WINDIR%\Installer\MSI2.tmp
C:\Config.Msi\26019.rbs
%WINDIR%\Installer\MSI6.tmp
%WINDIR%\Installer\MSI7.tmp
%WINDIR%\Installer\MSI4.tmp
%TEMP%\MSI1.tmp
%WINDIR%\Installer\MSI3.tmp
<SYSTEM32>\msxml3r.dll
%WINDIR%\Temp\OLD13.tmp
<SYSTEM32>\msxml3.dll
%WINDIR%\Temp\OLDF.tmp
%WINDIR%\Temp\OLDD.tmp

Moves the following files:

from %CommonProgramFiles%\Microsoft Shared\dasetup\SET10.tmp to %CommonProgramFiles%\Microsoft Shared\dasetup\msxmlx.inf
from %WINDIR%\LastGood\TMPE.tmp to %WINDIR%\LastGood\system32\msxml3r.dll
from %WINDIR%\LastGood\TMPC.tmp to %WINDIR%\LastGood\system32\msxml3.dll

Miscellaneous:

Executes the following:

'<SYSTEM32>\msiexec.exe' -Embedding 4ECE995CF1A832DD866EFC27D9C1C11C
'<SYSTEM32>\msiexec.exe' -Embedding 058B47299529EDAA5E15A3DBC8DCE1B4 M Global\MSI0000
'<SYSTEM32>\msiexec.exe' -Embedding 15DCA1A746D9C9A73C1827B7E9514956 C
'<SYSTEM32>\msiexec.exe' /i "%TEMP%\LGUP_8994_DLL_v0.0.4.4\setup.msi"
'<SYSTEM32>\msiexec.exe' /V

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial