TROJ_MADI

MADI is a family of Trojan downloaders. It arrives via exploited files such as .DOC, .PPS, and .JPG, among others. A particular MADI malware was used to target industries and companies in Middle East. The family gets its name from the prophet Mahdi.

When executed, MADI drops a file containing details related to its original file name/file type to trick users into thinking that these are legitimate files. MADI is known to steal information.

Installation

This Trojan drops the following copies of itself into the affected system:

• %User Profile%\PrintHood\Officedesktop.exe
• %User Profile%\PrintHood\UpdateOffice.exe
• %User Profile%\UpBackup\Officedesktop.exe
• %User Profile%\UpBackup\UpdateOffice.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It creates the following folders:

• %User Profile%\UpBackup

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This Trojan modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
User Shell Folders
Startup = "%User Profile%\UpBackup"

(Note: The default value data of the said registry entry is "%User Startup%".)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders
Startup = "%User Profile%\UpBackup"

(Note: The default value data of the said registry entry is "%User Startup%".)

Other Details

This Trojan connects to the following possibly malicious URL:

• {BLOCKED}l.in/ASLK/khaki/Abi/UUUU.htm
• {BLOCKED}.{BLOCKED}.57.28/ASLK/khaki/Abi/UUUU.htm