Home / malwarePDF  

TrojanDownloader:Win32/Matcash.L


First posted on 11 May 2009.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Matcash.L is also known as Also Known As:Generic Downloader.x (McAfee), Trojan.Retapu.D (BitDefender), Win32/Matcash.FH (CA), Trojan-Downloader.Win32.Agent.bfjx (Kaspersky), Downloader (Symantec).

Explanation :

TrojanDownloader:Win32/Matcash.L is a trojan that downloads and executes malware from predefined remote websites. The downloaded malware is usually other members of the Win32/Matcash family.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    %AppData%comidlecomidle.exe
  • The presence of the following registry modifications:
    Added value: "comidle"
    With data: "%AppData%comidlecomidle.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun


    • TrojanDownloader:Win32/Matcash.L is a trojan that downloads and executes malware from predefined remote websites. The downloaded malware is usually other members of the Win32/Matcash family.

    Installation
    This trojan may be installed by other malware. When run, it executes its payload that downloads other malware.

    Payload
    Downloads and Executes TrojanDownloader:Win32/Matcash.MIn the wild, this trojan has been observed to download malware from the following websites:
    lhdzv.wwlax.comczzzz.wwlax.combugreport.waverevenue.com The downloaded malware is saved and run any of the following files: %Temp%s<random 3 characters>.tmp
    %Temp%\_<random characters>.tmp One of the above temporary files is then copied as the following Matcash variant: %AppDataptidleptidle.exe - detected as TrojanDownloader:Win32/Matcash.M The registry is modified to execute the dropped copy at each Windows start. Adds value: "ptidle"
    With data: "%AppData%ptidleptidle.exe"To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRunAdditional InformationTrojanDownloader:Win32/Matcash.L drops and executes the following batch script file to delete its currently running copy after it has performed its payload:
    %Temp%at<random>.tmp.bat


    Analysis by Wei Li

    Last update 11 May 2009

     

    TOP

    Malware :

    Family: