MUTOPY

October 28, 2014

ALIASES:

Rodecap

PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes

OVERVIEW

Mutopy (also known as Rodecap) is a malware family of Trojans used to download other malware. It also randomizes the way it drops its copies so that anti-malware products will have difficulty in cleaning the affected system.

TECHNICAL DETAILS

Memory Resident: Yes

Payload: Downloads files

Installation

This Trojan drops the following copies of itself into the affected system:

%AppDataLocal%\{filename}
%Application Data%\{filename}
%Application Data%\Microsoft\{filename}
%ProgramData%\{filename}
%System Root%\Users\All Users\{filename}
%System Root%\Users\All Users\Microsoft\{filename}
%System%\drivers\{filename}
%User Profile%\AppData\Local\Microsoft\{filename}
%User Profile%\Local Settings\Application Data\{filename}
%User Profile%\Local Settings\Application Data\Microsoft\{filename}
%User Temp%\{filename}
%Windows%\{filename}
%Windows%\System\{filename}

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Profile% is a user's profile folder, where it usually is C:\Documents and Settings\{user name} on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name} on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It drops the following non-malicious file:

%User Temp%\Twain002.Mtx

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

%User Temp%\~NwcTemp
%User Temp%\~NwcTemp\conh09

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Run
{value} = "{dropped copy}"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Run
{value} = "{dropped copy}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Run
{value} = "{dropped copy}"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Run
{value} = "{dropped copy}"

HKEY_CURRENT_USER\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Policies\Explorer\Run
{value} = "{dropped copy}"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
{value} = "{dropped copy}"

(Note: The default value data of the said registry entry is {blank}.)

Download Routine

This Trojan saves the files it downloads using the following names:

%User Temp%\~NwcTemp\conh09\conhost.exe

Other Details

This Trojan connects to the following possibly malicious URL:

http://{BLOCKED}al.store-apps.org/d/conh09.jpg

NOTES:

The {filename} mentioned in the dropped copies may be the following:

cisvc.exe
clipsrv.exe
cmstp.exe
comrepl.exe
csrss.exe
dllhost.exe
dllhst3g.exe
esentutl.exe
ieudinit.exe
logman.exe
mqtgsvc.exe
mstinit.exe
mstsc.exe
rsvp.exe
sessmgr.exe
spoolsv.exe
wininit.exe
winlogon.exe

The {value} mentioned in the added registry entries may be the following:

Cisvc
ClipSrv
CmSTP
ComRepl
DllHost3g
DllHst
Esent Utl
IEudinit
Logman
Microsoft RSVP
MqtgSVC
MstInit
Mstsc
SessMgr
Spool
Spooler
WinInit
cisvc
cisvc
rsvp
run

MUTOPY

OVERVIEW

TECHNICAL DETAILS

Resources

Support

About Trend

Country Headquarters