SecurityHome.eu Trojan:VBS/Mutuodo.A

Home / malware PDF

Trojan:VBS/Mutuodo.A

First posted on 15 February 2019.
Source: Microsoft
Aliases :
There are no other names known for Trojan:VBS/Mutuodo.A.
Explanation :
When run, the malware attempts to create registry entries to ensure that it runs on system startup. For example:

In subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
Sets value: PriceFountain
With data: wscript.exe /E:vbscript /B "%APPDATA%PriceFountainUpdateProckup.dat"

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce
Sets value: PriceFountain
With data: wscript.exe /E:vbscript /B "%APPDATA%PriceFountainUpdateProckup.dat"

In subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
Sets value: Rinapi
With data: wscript.exe /E:vbscript /B "%APPDATA%Mogan"

It then attempts to launch an executable file, for example, %APPDATA%PriceFountainUpdateProcUpdateTask.exe or %LOCALAPPDATA%{GUID}synhelper.exe, where {GUID} is 32-digit hexadecimal number, e.g., {a4835daf-3520-45d5-9dd9-adc5cbf8a9b2}.

These filenames or paths are associated with the Win32/Prifou family of browser modifiers.

Analysis by: David Wood
Last update 15 February 2019

TOP

Malware :

Last 20

Family:

Trojan:VBS/Mutuodo.A