Home / malware

PDF

Trojan:Win32/Matsnu.D

First posted on 15 May 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Matsnu.D.

Explanation :

Installation

When executed, Trojan:Win32/Matsnu.D copies itself to the following locations with a random file name, for example:

• %TEMP%\cdbukngmoz.pre
• <system folder>\6c135f46acc0e9de4b69.exe

The malware modifies the following registry entries to ensure that its copy runs each time you start Windows:

In subkey: HKLM\software\microsoft\windows nt\currentversion\winlogon
Sets value: "userinit"
With data: "<system folder>\userinit.exe, <system folder>\6c135f46acc0e9de4b69.exe,"

Matsnu deletes the original copy of itself that runs when you restart the computer by making the following registry modification:

In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
Sets value: "PendingFileRenameOperations"
With data: "c:\documents and settings\administrator\local settings\temp\cdbukngmoz.pre"

Trojan:Win32/Matsnu.D utilizes code injection in order to hinder detection and removal, it injects code and creates a remote thread in the running processes of svchost.exe.



Payload

Modifies computer settings

Trojan:Win32/Matsnu.D disables registry editing tools and task manager by making the following registry modifications:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "1"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegedit"
With data: "1"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "1"

The malware may modify the following registry entries to register itself as a debugger for legitimate applications, like msconfig and regedit; it does this so that if you try to run the application, the malware runs instead:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
Sets value: "Debugger "
With data: "p9kdmf.exe"

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Sets value: "Debugger "
With data: "p9kdmf.exe"

Contacts remote hosts

Trojan:Win32/Matsnu.D attempts to connect to one of the following remote servers in order to download commands:

• horad-forum.com/a.php
• qoa-a.com/a.php
• spatbe-w.com/a.php

Note that these servers are no longer available.

Commonly, malware may contact a remote host for the following purposes:

• To confirm Internet connectivity
• To report a new infection to its author
• To receive configuration or other data
• To download and execute arbitrary files (including updates or additional malware)
• To receive instruction from a remote attacker
• To upload data taken from the affected computer

The following commands may be retrieved from remote server:

• EXECUTE
• GEO
• IMAGES
• KILL
• LOAD
• LOCK
• UNLOCK
• UPGRADE
• UPGRADEURL
• URLS
• WAIT

Analysis by Wei Li

Last update 15 May 2013

 

TOP