Home / malware TrojanDownloader:Win32/Matcash.M
First posted on 11 May 2009.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Matcash.M is also known as Also Known As:Troj/Matcas-Gen (Sophos), Trojan.Win32.Agent2.eit (Kaspersky), :Trj/Zlob.KH (Panda).
Explanation :
TrojanDownloader:Win32/Matcash.M is a trojan that downloads and executes arbitrary files from a remote Web site.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following files:
%AppData%comidlecomidle.exeThe presence of the following registry modifications:
Added value: "comidle"
With data: "%AppData%comidlecomidle.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
TrojanDownloader:Win32/Matcash.M is a trojan that downloads and executes arbitrary files from a remote Web site.
Installation
Upon execution, TrojanDownloader:Win32/Matcash.M drops a copy of itself in the system as the file %AppData%comidlecomidle.exe. It modifies the system registry so that it automatically runs every time Windows starts: Adds value: "comidle"
With data: "%AppData%comidlecomidle.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun To prevent the malware file from being removed or renamed, this trojan also creates the following entry: Adds value: "PendingFileRenameOperations"
With data: ""%AppData% comidlecomidle.exe96t",
To subkey: RegistryMachineSystemCurrentControlSetControlSession Manager
Payload
Downloads and Executes Arbitrary FilesTrojanDownloader:Win32/Matcash.M may download files, which may be other malware from the Web site xul93.pubdomainstr.com. At the time of this writing, the site is not accessible.
Analysis by Wei LiLast update 11 May 2009
