Home / malwarePDF  

Trojan:Win32/Mevade


First posted on 13 September 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Mevade.

Explanation :

Threat behavior

Installation

Variants of this family can be installed by other malware or potentially unwanted software, or you might download it vit peer-to-peer sharing, thinking it is a legitimate program. For example, we have seen the variants Trojan:Win32/Mevade.B and Trojan:Win32/Mevade.gen!A spreading through the eMule sharing program.

We have seen variants use the following names:

  • Adobe Flash Player Update Service by Adobe Systems Incorporated, with the file name FlashPlayerUpdateService.exe
  • Bluetooth LE Services Control Protocol, with the file name BleServicesCtrl.exe
  • Windows Internet Name Service, with the file name wins.exe
  • Windows Modules Installer by Microsoft Corporation, with the file name TrustedInstaller.exe


It copies itself to various locations and with a file name that changes depending on the variant; the following are used by Trojan:Win32/Mevade.D:

  • <system folder>\FlashPlayerUpdateService.exe
  • <system folder>\Macromed\Flash\FlashPlayerUpdateService.exe


We have also seen other variants use the following folders and file names:

  • <system folder>\TrustedInstaller.exe
  • <system folder>\uti.exe
  • <system folder>\config\systemprofile\Local Settings\Application Data\Windows Internet Name Service\wins.exe
  • %windir%\SysWOW64\FlashPlayerUpdateService.exe
  • %windir%\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe


Some variants host a legitimate proxy service called "3proxy".

It creates two scheduled jobs so its copy is run on a regular basis:

  • %windir% \Tasks\< job name>.job
  • %windir% \Tasks\< job name > 2.job


Where <job name> changes depending on the variant, for example AdobeFlashPlayerUpdate.job.

The trojan registers itself as a service in the registry. We have seen it use the following names:

  • Adobe Flash Player Update Service
  • Bluetooth LE Services Control Protocol
  • Trusted Installer
  • Windows Internet Name Service


Note that these names may also be used by legitimate services.


Payload

Downloads other malware

The trojan connects to remote servers, known as command and control (C&C) servers. When connected, it attempts to download data that specifies what further files to download or actions to take.

Some of the C&C domains known to be used by this trojan include:

  • http://6lokc3ut.no
  • http://7cxnrxku.no
  • http://7yp6xheu.no
  • http://assetsstatistic.com
  • http://fullstatistic.com
  • http://full-statistic.com
  • http://iqxdx4bc.no
  • http://jameslipon.no-ip.biz
  • http://kimberlybroher.no-ip.biz
  • http://l7kitc2s.no
  • http://lqhggo2s.no
  • http://lqiw5zec.no
  • http://lrzxxcmc.no
  • http://mycg4if7.no
  • http://ohifq4cv.no
  • http://olivasonny.no-ip.biz
  • http://patricevaillancourt.sytes.net
  • http://pmesnt54.no
  • http://qcm2m742.no
  • http://reserve-statistic.com
  • http://reservestatistic.net
  • http://securitystatistic.com
  • http://service-stat.com
  • http://service-statistic.com
  • http://service-update.net
  • http://srvupd.com
  • http://srvupd.net
  • http://stockstatistic.com
  • http://storestatistic.com
  • http://svcupd.net
  • http://timothymahoney.ddns.me.uk
  • http://updservice.net
  • http://updsrv.net
  • http://updsvc.com
  • http://updsvc.net
  • http://wys2mk65.no
  • http://y6pqn6ca.no


The trojan uses different methods to contact the servers, depending on the variant. We have seen it use:

  • HTTP
  • HTTP over Tor
  • SSH by using the legitimate application PuTTY


The HTTP requests may be similar to HTTP GET http://updsvc.net/<removed>/3f76764a34f81e63df90b61f65b31d75/2.

We have seen the trojan download and run the following files, among others:

  • http://jameslipon.no-ip.biz/<removed>/tc.c1
  • http://kimberlybroher.no-ip.biz/<removed>/tc.c1
  • http://olivasonny.no-ip.biz/<removed>/tc.c1
  • http://patricevaillancourt.sytes.net/<removed>/tc.c1
  • http://timothymahoney.ddns.me.uk/<removed>/tc.c1


These downloaded files are currently detected as Trojan:Win32/Mevade.B and Trojan:Win32/Mevade.gen!A.

Uses your PC to perform clickfraud

Some variants of the family, such as Trojan:Win32/Mevade.A, use your PC's internet connect to perform clickfraud. The MMPC blog Another way Microsoft is disrupting the malware ecosystem explains what clickfraud is and how malware can use your PC to do it.

We have observed Trojan:Win32/Mevade.A using the 3proxy service to proxy HTTP traffic to emulate a user browsing the Internet and clicking on advertisements.

Additional information

The Trojan:Win32/Mevade family is known to use Tor or SSH provided by PuTTY as its C&C communication channels.

Some variants add a Tor service under the display name "Tor Win32 Service". This a legitimate service that is used by the trojan to anonymize it's network traffic.

Since August 2013, there has been a noticeable increase in the Tor network's incoming connecting users - this is likely a result of the Trojan:Win32/Mevade family using Tor for its C&C communication. This is shown in the following graph obtained from https://metrics.torproject.org/:



Running files downloaded from peer-to-peer networks such as eMule, µTorrent, and Shareaza puts you at a high risk of being infected by trojans and other malware.



Analysis by Geoff McDonald

Symptoms

You may notice sluggish computer performance, large bandwidth usage, and slow Internet performance.

Last update 13 September 2013

 

TOP

Malware :