Home / malwarePDF  

Win32/Mdmbot


First posted on 07 October 2014.
Source: Microsoft

Aliases :

There are no other names known for Win32/Mdmbot.

Explanation :

Threat behavior

Installation

This trojan may be installed by other malware.

The trojan drops either a copy or a variant of itself on your PC. We have seen it drop itself using the following file names and locations:

  • \mdm.exe
  • \rasmon.dll
  • %TEMP% \c_1758.nls
  • %USERPROFILE% \.dll, for example WindowsNetworkingMonitoring.dll
  • %USERPROFILE% \AppMgmt.dll


Some variants will make themselves run every time you start your PC.

Older variants might modify the following registry entry to do this:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "", for example "WindowsNetworkingMonitoring"
With data: "", for example "\mdm.exe"

More recent variants (as of September, 2014), might instead register themselves as services. They modify or create the following registry keys:

  • HKLM\SYSTEM\CurrentControlSet\Services\RaS\Parameters
  • HKLM\SYSTEM\CurrentControlSet\Services\< system service name>\Parameters
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost


And then set one of the following values as the name of the service:

  • ImagePath
  • McpRoXy
  • netsvcs
  • ServiceDll
  • Soundmax
  • SysIns
  • WindowsNetworkingMonitoring


The data for the registry entry will be the location of the malware file.

For example, it might look like this:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost
Sets value: "WindowsNetworkingMonitoring"
With data: "%USERPROFILE%\WindowsNetworkingMonitoring.dll"

Payload

Changes security settings

The trojan changes the registry to change your PC's security settings. These changes allow the remote attacker to open a backdoor on your PC:

In subkey: HKLM\Software\Microsoft\OLE
Sets value: "EnableDCOM"
With data: "n"

In subkey: HKLM\Software\System\CurrentControlSet\Lsa
Sets value: "restricanaonymous"
With data: "1"

Changes Internet Explorer start page

It can also change the Internet Explorer start page by changing your registry:

In subkey: HKCU\Software\Microsoft\InternetExplorer\Main
Sets value: "Start Page"
With data: "http://www.dbsarticles.com"

The new start page might install other malware or ads onto your PC.

Opens a back door into your PC

Some variants might create a process named McpRoXy.exe, which creates a back door to communicate with a remote server. The configuration information may be saved as one of the following files:

  • %TEMP% \_p.ax
  • %TEMP% \.bak
  • %TEMP% \.ax
  • %windir% \Temp\.ax


The trojan can connect to an IRC server named tap.radioprishtina.net using TCP port 2345. Once connected, it can wait for commands from a remote malicious hacker, which include instructions to download and run other files, including malware.

Some variants try to communicate to the following IP or domain:

  • 360.homeunix.com
  • 111.68.9.93
  • ad04.bounceme.net
  • ftp1.ftpaccess.cc
  • ftp2.homeunix.com


They'll use either port 80 or port 443 to try to disguise the connections as normal Internet traffic on your PC.

Additional information

The trojan can create a mutex named similar to rat_UnInstall. This could be an infection marker to prevent more than one copy of the threat running on your PC.



Analysis by Carmen Liang

SymptomsThe following could indicate that you have this threat on your PC:
  • You have these files:
    • %TEMP%\_p.ax
    • %TEMP%\.bak
    • %TEMP%\.ax
    • %windir%\Temp\.ax
    • \mdm.exe
    • \rasmon.dll
    • %TEMP%\c_1758.nls
    • %USERPROFILE%\.dll, for example WindowsNetworkingMonitoring.dll
    • %USERPROFILE%\AppMgmt.dll
  • You see these entries or keys in your registry:


    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "", for example "WindowsNetworkingMonitoring"
    With data: "", for example "\mdm.exe"

    In subkey: HKCU\Software\Microsoft\InternetExplorer\Main
    Sets value: "Start Page"
    With data: "http://www.dbsarticles.com

  • Your Internet Explorer start page is changed to something you aren't expecting.

Last update 07 October 2014

 

TOP