Home / malwarePDF  

Trojan:Win32/Matsnu


First posted on 23 May 2012.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Matsnu.

Explanation :



Trojan:Win32/Matsnu is malware that can perform certain actions based on instructions from a remote server. It also changes certain computer settings.



Installation

Trojan:Win32/Matsnu creates copies of itself in the <system folder> and %Temp% folders. Its copy is named based on your computer's system volume information and is 20 characters long.

It changes the system registry so that it automatically runs at every Windows start:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\<malware file name>.exe,"



Payload

Connects to a remote server

Trojan:Win32/Matsnu connects to certain servers to receive instructions and configuration information. It can be instructed to:

  • Take screenshots of what windows are currently open on your desktop
  • Get system location and operating system version
  • Get other URLs to connect to
  • Update itself
  • Run arbitrary commands on your computer
  • Delete important system files in your computer, which may then render your computer unusable


Change computer settings

Trojan:Win32/Matsnu changes settings, depending on what version of Windows you are running.

If you are running Windows XP, it performs the following changes:

Disables registry tools and prevents you from running Registry Editor:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "1"

Disables Task Manager:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "1"

Disables Safe Boot Mode:

Deletes subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot

Sets another program to run alongside System Configuration or Registry Editor:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
Sets value: "Debugger"
With data: "p9kdmf.exe"

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Sets value: "Debugger"
With data: "p9kdmf.exe"

Allows the malware file to bypass the firewall:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<malware file name>"
With data: "<malware file name>:*:enabled:wsctrl"

Trojan:Win32/Matsnu also deletes files from the system restore cache, preventing you from restoring your computer to a defined restore point.

If you are running Windows 7, it performs the following change, which disables registry tools, including Registry Editor:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "0100000"

Additional information

Trojan:Win32/Matsnu checks if its file name contains the strings "sand" or "-box". If it does, Trojan:Win32/Matsnu does not run.



Analysis by Matt McCormack

Last update 23 May 2012

 

TOP