Home / malware Worm:MSIL/Murkados.A
First posted on 23 May 2013.
Source: MicrosoftAliases :
Worm:MSIL/Murkados.A is also known as Trojan-Ransom.Win32.Blocker.avuh (Kaspersky), W32/Suspicious_Gen4.CWHRE (Norman), Found Luhe.MSIL.D (AVG), TR/Ransom.Blocker.avuh (Avira), Trojan.Generic.KDV.899344 (BitDefender), Trojan.AVKill.28785 (Dr.Web), MSIL/Agent.DI worm (ESET).
Explanation :
Installation
When run,Worm:MSIL/Murkados.A copies itself to c:\programdata\start.exe.
It searches your computer to find chrome.exe. This file indicates that you have the Chrome internet browser installed.
If it finds chrome.exe it renames it to new_chrome.exe. The worm then copies itself to chrome.exe.
Worm:MSIL/Murkados.A makes the following registry modifications to make sure it runs at each Windows start.
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Chrome New"
With data: "c:\programdata\start.exe"
Spreads via...
Removable drives
The worm checks for any removable drives connected to your computer. If it finds any removable drives with a security.exe file it copies itself onto the drive as security.exe.
Payload
Installs browser extensions
The worm downloads browser extensions for the Chrome browser. The downloaded file can change.
We observed the worm downloading the file flashplayer.crx.
This file uses JavaScript to change your Facebook experience, including €˜liking' the website "fcksuspend.com".
Closes Chrome internet browser
Each time it runs, the worm will try to download browser extensions from a remote host. The worm then closes the legitimate Chrome browser to apply the new extension.
The worm runs the following commands to close the Chrome internet browser:
- taskkill /f/ im chrome.exe
- taskkill/f/im start.exe
Contacts a remote server
Worm:MSIL/Murkados.A opens a real chrome browser (new_chrome.exe) and connects to the following server to download Chrome browser extension files (.crx):
- socialmedya.<removed>
Last update 23 May 2013
