BKDR_MATSNU
Trustezeb
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
MATSNU is a family of backdoors can perform different commands such as downloading and executing files, update itself and its C&C server -- all of which are common to backdoors. However, one unique capability of MATSNU is its ability to lock or unlock computer for ransom through commands.
Upon execution, it modifies certain registries to enable its copies to run every system start and to disable some of the processes such as the registry editor and task manager. It also deletes certain registries to disable user from starting the computer in safe mode.
TECHNICAL DETAILS
Yes
Installation
This backdoor drops the following copies of itself into the affected system:
- %Application Data%\{random folder name}\{random file name 1}.exe
- %User Temp%\{random file name 2}.pre
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
Other System Modifications
This backdoor adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
taskmgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
msconfig.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
regedit.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%Application Data%\{random folder name}\{random file name 1}.exe"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegedit = "1"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
DisableRegedit = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
DisableTaskMgr = "1"
It deletes the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal
Other Details
This backdoor connects to the following possibly malicious URL:
- http://{BLOCKED}hi.com/images/1.php
- http://{BLOCKED}isx.com/ca.php
- http://{BLOCKED}isxf.com/TPR0-QQWSKA-423PZS.php
- http://{BLOCKED}ldezovc.com/img/1.php
- http://{BLOCKED}solde.com/images/1.php
- http://{BLOCKED}rfe.com/img/1.php
- http://{BLOCKED}rz.com/TPR0-QQWSKA-423PZS.php
- http://{BLOCKED}z.com/ad.php
- http://{BLOCKED}pvsje.com/TPR0-QQWSKA-423PZS.php
- http://{BLOCKED}soldevsje.com/af.php
- http://{BLOCKED}xdv.com/img/1.php
- http://{BLOCKED}-oum.com/twep.php
- http://{BLOCKED}xrz.com/as.php
- http://{BLOCKED}zxrz.com/inbox.php
- http://{BLOCKED}zxrz.com/TPR0-QQWSKA-423PZS.php
- http://{BLOCKED}esscorn.net/TPR0-QQWSKA-423PZS.php
- http://{BLOCKED}fwieg.com/TPR0-QQWSKA-423PZS.php
- http://{BLOCKED}wieg.com/aa.php
- http://{BLOCKED}wieg.com/inbox.php
- http://{BLOCKED}wiw.com/img/1.php
- http://{BLOCKED}dkiu.com/odriwsd/forum.php
- http://{BLOCKED}ebspace-apo.com/inbox.php
- http://{BLOCKED}ebspace-apo.com/user-057708/forumv.php
- http://{BLOCKED}ehppf.com/TPR0-QQWSKA-423PZS.php
- http://{BLOCKED}nlines.com/inbox.php
- http://{BLOCKED}hppf.com/aa.php
- http://{BLOCKED}omn.com/images/1.php
- http://{BLOCKED}online.com/inbox.php
- http://{BLOCKED}solderx.net
- http://{BLOCKED}solderx.net/TPR0-QQWSKA-423PZS.php
- http://{BLOCKED}solderxx.com/ag.php
- http://{BLOCKED}solderxx.com/inbox.php
- http://{BLOCKED}story.net/TPR0-QQWSKA-423PZS.php
- http://{BLOCKED}rect-proxy.com/inbox.php
- http://{BLOCKED}nvw.com/TPR0-QQWSKA-423PZS.php
- http://{BLOCKED}-gt.com/inbox.php