Home / malwarePDF  

Trojan:Win32/Mevade.D


First posted on 13 September 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Mevade.D.

Explanation :

Threat behavior

Installation

Variants of this family can be installed by other malware or potentially unwanted software.

We have seen this variant call itself "Adobe Flash Player Update Service" by "Adobe Systems Incorporated", and use the file name FlashPlayerUpdateService.exe.

It copies itself to the following locations:

  • <system folder>
  • <system folder>\Macromed\Flash\


Additionally, on a 64-bit Windows operating system it will also create copies of itself in:

  • %windir% \SysWOW64\
  • %windir% \SysWOW64\Macromed\Flash\


It creates the following jobs so it is run on a scheduled basis:

  • %windir% \Tasks\AdobeFlashPlayerUpdate 2.job
  • %windir% \Tasks\AdobeFlashPlayerUpdate.job


It adds itself as a service under the display name "Adobe Flash Player Update Service" by making the following registry changes:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc\Enum
Sets value: "0"
With data: "Root\LEGACY_ADOBEFLASHPLAYERUPDATESVC\0000"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc\Enum
Sets value: "Count"
With data: "0x00000001"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc\Enum
Sets value: "NextInstance"
With data: "0x00000001"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc\Security
Sets value: "Security"
With data: "01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "Type"
With data: "0x00000020"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc\Enum
Sets value: "Count"
With data: "0x00000001"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "ErrorControl"
With data: "0x00000001"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "ImagePath"
With data: "<system folder>\Macromed\Flash\FlashPlayerUpdateService.exe"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "DisplayName"
With data: "Adobe Flash Player Update Service"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "ObjectName"
With data: "LocalSystem"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "FailureActions"
With data: "FF FF FF FF 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 30 75 00 00"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "Description"
With data: "This service keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes."


Payload

Downloads malware

The trojan connects to remote servers, known as command and control (C&C) servers. When connected, it attempts to download data that it decrypts into an XML file, which specifies what further files to download or actions to take.

Some of the C&C domains known to be used by this trojan include:

  • srvupd.com
  • srvupd.net
  • svcupd.net
  • updsrv.net
  • updsvc.com
  • updsvc.net


These C&C servers will be contacted periodically via a standard HTTP GET command, for example HTTP GET http://updsvc.net/<removed>/3f76764a34f81e63df90b61f65b31d75/2.

We have seen the trojan download and run the following files, among others:

  • http://jameslipon.no-ip.biz/<removed>/tc.c1
  • http://kimberlybroher.no-ip.biz/<removed>/tc.c1
  • http://olivasonny.no-ip.biz/<removed>/tc.c1
  • http://patricevaillancourt.sytes.net/<removed>/tc.c1
  • http://timothymahoney.ddns.me.uk/<removed>/tc.c1


These downloaded files are detected as other variants of the Trojan:Win32/Mevade family, such as Trojan:Win32/Mevade.B and Trojan:Win32/Mevade.gen!, which then spread through the eMule sharing program.

Additional information

The Trojan:Win32/Mevade family is known to use Tor or Secure Shell (SSH) provided by PuTTY as its C&C communication channels.

Running files downloaded from peer-to-peer networks such as eMule, µTorrent, and Shareaza puts you at a high risk of being infected by trojans and other malware.



Analysis by Geoff McDonald

Symptoms

You may notice sluggish computer performance, large bandwidth usage, and slow Internet performance.

Last update 13 September 2013

 

TOP

Malware :

Family: